|
Ok I've been doing some reading. The question is this, Cisco VPN vs MS VPN. It doesn't look like it's just a question of L2TP vs IPSec anymore, as MS servers also support IPSec. Also IPSec itself apparently doesn't support user authentication in earlier implementations but now that's been addressed. I know the Cisco VPN (using the Cisco VPN Client) seems to be more stable and more resilient to drop outs. It supports QoS (for data/voice) and you can do a ton of other with it like the RSA security tokens. I'd like some experienced opinions on this detailing why (technically) the Cisco VPN is superior.
|
#
?
Aug 7, 2009 07:08
|
|
|
|
| # ? May 28, 2024 19:19 |
|
|
Tony Montana posted:Ok I've been doing some reading.
|
|
#
?
Aug 7, 2009 13:17
|
|
|
Not sure about MS IPsec VPN these days, but hands down the best feature in Cisco IPsec VPN over things like PPTP is split tunneling. Unless you require it for some security reason I don't see any reason why you'd want to tunnel a user's internet traffic (youtube/google/porn) over your own bandwidth twice when you could just set up a split tunnel so all that just uses their local internet connection.
|
|
#
?
Aug 7, 2009 14:13
|
|
|
ragzilla posted:Not sure about MS IPsec VPN these days, but hands down the best feature in Cisco IPsec VPN over things like PPTP is split tunneling. Unless you require it for some security reason I don't see any reason why you'd want to tunnel a user's internet traffic (youtube/google/porn) over your own bandwidth twice when you could just set up a split tunnel so all that just uses their local internet connection. Yep, that works so well that I'll forget to disconnect a Cisco VPN because everything besides the VPN works just as if it wasn't connected. What is the difference between split tunneling and unchecking the 'Use default gateway on remote network' option under Advanced TCP/IP on a MS VPN connection? If you don't know what I mean, this is old but it still applies to the new OSs: http://www.noc.ucf.edu/VPN/default_gw.htm
|
|
#
?
Aug 7, 2009 14:26
|
|
|
Tony Montana posted:Yep, that works so well that I'll forget to disconnect a Cisco VPN because everything besides the VPN works just as if it wasn't connected. As far as I recall unchecking 'use default gw' will only tunnel traffic for the specific network and mask assigned on the VPN connection. Split tunneling lets you push complex policies of networks you want tunneled per user (this is probably more useful for organizations that have multiple VLANs etc that they need to grant access to). If all you need to do is get them in the same network as your citrix/exchange/$application boxes a PPTP VPN with unchecked use default gw is probably fine.
|
|
#
?
Aug 7, 2009 14:40
|
|
|
ragzilla posted:As far as I recall unchecking 'use default gw' will only tunnel traffic for the specific network and mask assigned on the VPN connection. Split tunneling lets you push complex policies of networks you want tunneled per user (this is probably more useful for organizations that have multiple VLANs etc that they need to grant access to). If all you need to do is get them in the same network as your citrix/exchange/$application boxes a PPTP VPN with unchecked use default gw is probably fine. Well, I've got voice and data VLANs. Hrm, so if I uncheck 'use default' to get both my VLANs working then when mr. enduser launches his bittorrent client they'll feel it back at HQ. That's not so good..
|
|
#
?
Aug 7, 2009 15:40
|
|
|
I picked up an old PIX 501 from my boss and thought I'd throw it in my home network start playing around with it. Can anyone recommend any books that would take me from a novice to an intermediate understanding of the PIX/ASA platform?
|
|
#
?
Aug 8, 2009 17:39
|
|
|
Here is a (hopefully) easy question. I have a server which I have on it's own port from our ASA. I have successfully created a NAT rule to forward traffic from an external address to the server. I cannot (due to the suggestion of a regulatory auditor) allow this server to directly talk to anything on our network, so if people inside the network need to access it, I need to direct them to the external IP. It doesn't currently work, and I am guessing it's a simple change to allow this behaviour. Anyone have any ideas?
|
|
#
?
Aug 8, 2009 21:39
|
|
|
Would there be any glaringly obvious configuration reason I get a rejected PW when trying to SSH into a Cisco 5505 who's Username/PW I JUST set, and after I am connected to the ASDM with said username/pw combo AND logged in to console with the same info? SSH session from 10.10.8.3 on interface inside for user "*****" disconnected by SSH server, reason: "Rejected by server" (0x0d) Login denied from 10.10.8.3/53271 to inside:10.10.8.1/ssh for user "*****" Built inbound TCP connection 154 for inside:10.10.8.3/53271 (10.10.8.3/53271) to NP Identity Ifc:10.10.8.1/22 (10.10.8.1/22) User authentication succeeded: Uname: ***** Wicaeed fucked around with this message at 23:59 on Aug 8, 2009 |
|
#
?
Aug 8, 2009 23:38
|
|
|
Wicaeed posted:Would there be any glaringly obvious configuration reason I get a rejected PW when trying to SSH into a Cisco 5505 who's Username/PW I JUST set, and after I am connected to the ASDM with said username/pw combo AND logged in to console with the same info? Put this in global config: code:
|
|
#
?
Aug 9, 2009 14:15
|
|
|
Wicaeed posted:Would there be any glaringly obvious configuration reason I get a rejected PW when trying to SSH into a Cisco 5505 who's Username/PW I JUST set, and after I am connected to the ASDM with said username/pw combo AND logged in to console with the same info? You'll also need to add: code:
|
|
#
?
Aug 9, 2009 18:08
|
|
|
BoNNo530 posted:Put this in global config: He wouldn't be able to present credentials to the device if it wasn't accepting ssh connections on an interface. I'm also in the camp of that he's hitting the wrong AAA group/one does not exist to login yet. There are multiple aaa groups - enable, login etc. Make sure you configure the relevant ones.
|
|
#
?
Aug 10, 2009 02:23
|
|
|
jbusbysack posted:He wouldn't be able to present credentials to the device if it wasn't accepting ssh connections on an interface. I'm also in the camp of that he's hitting the wrong AAA group/one does not exist to login yet. There are multiple aaa groups - enable, login etc. Make sure you configure the relevant ones. Sorry, I should have done this in the first place. Here is what I have configured and working: code:I am able to ssh from 10.0.126.219 and use the admin credentials to log in. I hope this helps. BoNNo530 fucked around with this message at 04:16 on Aug 10, 2009 |
|
#
?
Aug 10, 2009 04:14
|
|
|
So another little question. I'll start doing my own research into this, but some sage words from people that have been down this road already will probably save me hours with Google. I explained to management that I heard some smart guys (this thread lol) used scripting, specifically bash scripting to automate tasks with Cisco devices. So I've been given time to look into this, I'd like to start out with what I hope will be a relatively simple project. I want to write a script that will log into a 800 series router, copy the configuration to a text file or something and then log off. Being able to pass the script a bunch of parameters (like IP addresses of devices to connect to) would be good, particularly if I can keep these variables in a separate text file or something so other admins don't need to alter the script itself to get it working with new devices. Following points to heed: 1) I have NO experience in bash at all. I used to be a programmer and am quite comfortable with other scripting languages like kix, basic and a bit of vbscript. Is there some good guides that will help me find my feet? 2) Any examples of similar script would help tremendously. 3) Obviously, I don't really know what I'm talking about with this! If I'm barking up the wrong tree and you've got a better way to do this, let me know! 4) I don't really use linux at all, I'm more comfortable in Windows. If bash is still the awesome way to go about this, I guess I could run a linux virtual machine on my windows box or maybe install some Windows-based installable giving me bash access from my tard-box. Otherwise, what Windows-based scripting languages have guys used to do cool Cisco automation stuff?
|
|
#
?
Aug 10, 2009 08:05
|
|
|
Tony Montana posted:So another little question. I'll start doing my own research into this, but some sage words from people that have been down this road already will probably save me hours with Google. Use RANCID if you want to save and version your running config.
|
|
#
?
Aug 10, 2009 08:20
|
|
|
Steve Slavery posted:Use RANCID if you want to save and version your running config. RANCID doesn't run in Windows. Maybe neither does bash, but I'd like to be able to write customized stuff anyway. Well, http://win-bash.sourceforge.net/ answers one question..
|
|
#
?
Aug 10, 2009 08:29
|
|
|
 Just set up a linux box and install rancid. I've used tcl (on linux) for some minimalist scripting. Mostly just editing stuff I created with autoexpect. Here's some scripts other people have put together: http://cosi-nms.sourceforge.net/alpha-progs.html Also, pro tip, figure out how to do something before you proactively propose it.
|
|
#
?
Aug 10, 2009 12:58
|
|
|
inignot posted:
Thanks, I'll take a look at the scripts you posted. I proposed looking into how this idea might work. I don't have to produce any results, it's a research project. Being in work time means I don't have to do it in my own, it's cool to get paid for stuff like that.  edit: that link is great! Tony Montana fucked around with this message at 14:10 on Aug 10, 2009 |
|
#
?
Aug 10, 2009 14:01
|
|
|
Tony Montana posted:RANCID doesn't run in Windows. Maybe neither does bash, but I'd like to be able to write customized stuff anyway. In one environment I worked with we used to use perl to manage and monitor or switches, you can use Net:  :Perl, it's pretty drat easy. There is also Net::Telnet::Cisco which I think you can use with SSH but it's not "built in", I think the idea is that you spawn SSH and you direct your I/O to the SSH tty.Perl works just fine under windows too.
|
|
#
?
Aug 10, 2009 21:15
|
|
|
We bought some 3750's recently with the IP BASE software. I have a free guest-level cisco.com account and I noticed the IP SERVICES feature set IOS for the 3750 is freely downloadable on the site (a lot of the other IOS images for routers and such are locked and require a contract agreement to access). If I were to download it and upgrade the switches, how would that affect our smartnet support on those switches? Or is the IOS being free a mistake on cisco's part?
para fucked around with this message at 15:56 on Aug 12, 2009 |
|
#
?
Aug 12, 2009 15:53
|
|
|
para posted:We bought some 3750's recently with the IP BASE software. I have a free guest-level cisco.com account and I noticed the IP SERVICES feature set IOS for the 3750 is freely downloadable on the site (a lot of the other IOS images for routers and such are locked and require a contract agreement to access). If I were to download it and upgrade the switches, how would that affect our smartnet support on those switches? Or is the IOS being free a mistake on cisco's part? Are you sure that the smartNet contract isn't linked to your CCO profile? In any case running a valid sw image does not in any way screw up your coverage.
|
|
#
?
Aug 12, 2009 16:36
|
|
|
I have a question about setting up a VPN to do certificate authentication on a PIX506. All the documentation I can find says you have to request a certificate from a third party, or use a Microsoft certificate authority server. Can anyone confirm that? Is there any way to self-sign a certificate on a Linux platform? Thanks. Reference: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
|
|
#
?
Aug 12, 2009 16:43
|
|
|
Wyznewski posted:I have a question about setting up a VPN to do certificate authentication on a PIX506. All the documentation I can find says you have to request a certificate from a third party, or use a Microsoft certificate authority server. Can anyone confirm that? Is there any way to self-sign a certificate on a Linux platform? Thanks.
|
|
#
?
Aug 12, 2009 18:07
|
|
|
Tremblay posted:Are you sure that the smartNet contract isn't linked to your CCO profile? In any case running a valid sw image does not in any way screw up your coverage.
|
|
#
?
Aug 12, 2009 19:16
|
|
|
When you purchase a device, you pick the IOS you want to run, ipbase, ipbasek9, etc and pay for the different levels of IOS and the services they offer per your purchase agreement. Will this effect support whne you call TAC? No, but could bite you in the rear end when Cisco does finally lock down CCO logins to only allow downloads of IOS that were purchased or upgraded. It has started to go this way already with some CCO accounts not being able to get to PIX / ASA software without one under their contract number.
|
|
#
?
Aug 12, 2009 19:20
|
|
|
To expand on the CCO/Contract thing. All you are doing is taking a risk. Right now 99/100 TAC engineers won't check and won't care. But if you run into a particularly troubling bug then rather then resolve it, TAC might just say you don't have a valid support contract and refuse to help you. Also as Cisco is redoing their licensing, you might see that you will be unable to upgrade to future advanced ip services releases. Besides that, unless there is something that you actually need to do (advanced routing, extended ACLs, Metro-E, MPLS, etc.) there is no advantage to running the full IOS anyway.
|
|
#
?
Aug 12, 2009 20:14
|
|
|
Powercrazy posted:Besides that, unless there is something that you actually need to do (advanced routing, extended ACLs, Metro-E, MPLS, etc.) there is no advantage to running the full IOS anyway. IPv6  (move that into IP Services please)
|
|
#
?
Aug 12, 2009 21:53
|
|
|
ragzilla posted:IPv6 I thought we did?
|
|
#
?
Aug 12, 2009 23:59
|
|
|
Tremblay posted:I thought we did? IP Services vs. Adv IP Services on 7600 I wish. 
|
|
#
?
Aug 13, 2009 00:26
|
|
|
ragzilla posted:IP Services vs. Adv IP Services on 7600 Looks like its in base images for switches (I checked 3560E and Cat6k/Sup720). Routers not so much. Hey I was half right
|
|
#
?
Aug 13, 2009 02:56
|
|
|
Tremblay posted:Looks like its in base images for switches (I checked 3560E and Cat6k/Sup720). Routers not so much. Hey I was half right Goddamn, 7600 BU fucks us again.
|
|
#
?
Aug 13, 2009 03:15
|
|
|
ragzilla posted:Goddamn, 7600 BU fucks us again. I bet you're glad you hitched your wagon to that star.
|
|
#
?
Aug 13, 2009 04:59
|
|
|
ragzilla posted:Goddamn, 7600 BU fucks us again. That might change later on (this is complete speculation). Now that the trains are maturing there are quite a few people who've called asking if we can help them out with running SR code on 6k.
|
|
#
?
Aug 13, 2009 05:46
|
|
|
ragzilla posted:IPv6 HAHA. Oh goddamn, forgot about that. Cisco leading the IPv6 revolution, for just $2500/unit.
|
|
#
?
Aug 13, 2009 06:37
|
|
|
On the SmartNet contracts thing, I've got a couple of serial numbers from devices that have valid contracts and I've been logging TAC cases for all sorts of random Cisco poo poo with them and the TAC seems not to care. Even if the serial is from a router and I log the case about a voice gateway or something, no-one minds. Maybe one day I'll get a knock on my door, I'll open it and a guy in black sunglasses will ask 'are you Tony Montana?' and when I say yes he'll shoot me. Tony Montana fucked around with this message at 06:49 on Aug 13, 2009 |
|
#
?
Aug 13, 2009 06:46
|
|
|
Tony Montana posted:On the SmartNet contracts thing, I've got a couple of serial numbers from devices that have valid contracts and I've been logging TAC cases for all sorts of random Cisco poo poo with them and the TAC seems not to care. Generally speaking actual engineers don't give a poo poo. The assumption is that if you have a case, and it made it to my desk you are entitled. The only time that will bite you is RMA. This is likely to change though.
|
|
#
?
Aug 13, 2009 16:20
|
|
|
Tony Montana posted:On the SmartNet contracts thing, I've got a couple of serial numbers from devices that have valid contracts and I've been logging TAC cases for all sorts of random Cisco poo poo with them and the TAC seems not to care. We have about 8 different SmartNet contracts and thousands of devices spread over them. I don't think I've ever been able to find the actual device I'm opening a TAC case for so typically do the same thing and just pick random poo poo to get the ball rolling.
|
|
#
?
Aug 14, 2009 16:14
|
|
|
Is it possible for me to pull a list of wireless clients associated to a Cisco 1130AG standalone access point? A list of MAC addresses would be super, from the web interface or the console.
|
|
#
?
Aug 18, 2009 22:27
|
|
|
sh dot11 associations
|
|
#
?
Aug 18, 2009 22:29
|
|
|
|
| # ? May 28, 2024 19:19 |
|
|
sweet, thanks
|
|
#
?
Aug 18, 2009 22:57
|
|