Comments for 6200networks.com

Comment on New Cisco Certification Logo’s? by etherealmind

etherealmind — Tue, 26 Aug 2008 11:08:13 +0000

I also agree. I won’t be proud of putting that on my resume or web site.

Urh, what are they thinking ?

Comment on New Cisco Certification Logo’s? by Stephen Riddle

Stephen Riddle — Tue, 26 Aug 2008 10:34:54 +0000

I’m no fan of the new logos either. Looks like Cisco may be altering the professional level designations in the near future…

Comment on New Cisco Certification Logo’s? by Joe Harris

Joe Harris — Tue, 26 Aug 2008 01:07:14 +0000

I’m afraid so and I’m no fan of them either

Comment on New Cisco Certification Logo’s? by CN7

CN7 — Tue, 26 Aug 2008 00:36:35 +0000

is CSCO serious with this? these logos are disgustingly ugly..the current logos are just fine.. why does everyone have to go and ruin a good thing!

Comment on iPhone to ISR by Mark Kohlmann

Mark Kohlmann — Thu, 21 Aug 2008 02:55:29 +0000

Modified configuration that works on a 2811 running 12.4(20)T using the Virtual-Template Interface and a split-tunnel. Fa0/0 is the nat outside interface. I had trouble getting reverse-route injection to work but this method is working perfectly.

See Apple’s Enterprise Deployement Guide for more detailed information on iPhone supported features.

Minimal configuration:

aaa new-model
!
aaa authentication login iphone_vpn_xauth local
aaa authorization network iphone_vpn_xauth local
!
username iPhone secret 5 ****
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group iPhone
key *********
dns 172.16.100.1
pool POOL_VPN
acl ACL_iPhoneVPN
crypto isakmp profile iPhone-isakmp-profile
match identity group iPhone
client authentication list iphone_vpn_xauth
isakmp authorization list iphone_vpn_xauth
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set iphone-transform esp-3des esp-sha-hmac
!
crypto ipsec profile iPhone-vti1
set transform-set iphone-transform
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile iPhone-vti1
!
ip local pool POOL_VPN 172.16.100.90 172.16.100.99
!
ip access-list extended ACL_iPhoneVPN
permit ip 172.16.96.0 0.0.15.255 any

Enjoy!
Mark

Comment on Cisco Power Calculator Addition by Olivier Cahagne

Olivier Cahagne — Wed, 20 Aug 2008 13:23:48 +0000

Thanks, good to know ! I hope they can add 802.11n APs soon.

Comment on ASA Regular Expressions Files by Wayne Fleenor

Wayne Fleenor — Wed, 20 Aug 2008 12:47:42 +0000

This is a GREAT list of RegEx for the ASA, thank you.
With a PCI audit around the corner I have the following question: do you have a Regex list for SSN and Credit Card Numbers?
I have found some expression that include the correct ranges for SSN and major vendors (AMEX, V\MC). But the format must be differnet for the ASA and Cisco IPS because they don’t seem to work, thanks again

Comment on SSLVPN Vulnerabilities: Client Certificates offer a superior defense over OTP devices by JVH

JVH — Tue, 19 Aug 2008 02:24:33 +0000

Wow. All that work just to eliminate a DNS problem. Why not simply instruct users to type https:// and eliminate ALL potential DNS issues with an SSL VPN and skip the PKI deployment?

Comment on EoL/EoS Announcement by Ramoonus

Ramoonus — Mon, 18 Aug 2008 12:10:24 +0000

bugger, there goes support for my 3620

Comment on Using a Customized HTTP Interface for Router Management by Ramoonus

Ramoonus — Mon, 18 Aug 2008 12:07:43 +0000

thank you very much Joe!

Comment on Cisco Network Assistant 5.4 on CCO by Ian

Ian — Fri, 15 Aug 2008 19:17:15 +0000

Hi Joe,

If this is the last planned major version release do you know what Cisco intend to replace it with (if anything)?

It’s a handy little tool for upgrading devices I find although I prefer using CiscoWork LMS for production devices.

Thanks,

Ian

Comment on Using a Customized HTTP Interface for Router Management by Joe Harris

Joe Harris — Thu, 14 Aug 2008 14:40:36 +0000

Hi Ramoonus…Thankfully I had it saved….You can download it from here: http://6200networks.com/wp-content/uploads/docs/command_center.zip

Comment on Using a Customized HTTP Interface for Router Management by Ramoonus

Ramoonus — Thu, 14 Aug 2008 11:38:31 +0000

the downloadlink on the Cisco page isnt working

Comment on Run VMWare as a service by David

David — Wed, 13 Aug 2008 15:37:37 +0000

Can’t get this working with VMWare Player… Should I be able to?

Seems like the service starts fine but fails to start the VM. vmplayer.exe -x path\to\vm.vmx works from a command line but not from the service…

Any ideas?

Comment on 8.0.4 Feature: Persistent IPsec Tunneled Flows by René Jorissen

René Jorissen — Wed, 13 Aug 2008 14:37:45 +0000

Hey Joe,

Great post, I haven’t looked at the specs for release 8.0(4). But this new feature sounds great, and I will definitely use it in unstable environments.

Do you have any experience with the feature, when looking at the performance when maintaining the connection state?? I guess the state are stored in memory…

Comment on 8.0.4 ASA Code has posted to CCO by Shiling Ding

Shiling Ding — Tue, 12 Aug 2008 20:22:15 +0000

I liked the dynamic access policy featured added in 8.0. It could be used for granular group or user based control. I intend to have many DAP for group locking and network ACL control. Is there any limit on how many DAPR we could have? How about the extensive network ACL performance effect? I remembered that all ACL in ASA are done in software compared with FWSM done in hardware on cisconetworkers, is my memory right? How many ACE could ASA handle?

Also in lua, how to match something like string.find(asa.ldap.grouplist != “null”), basically, how to check one attribute value is not empty?

Thanks.

Comment on 8.0.4 Feature: Persistent IPsec Tunneled Flows by Joe Harris

Joe Harris — Tue, 12 Aug 2008 19:50:01 +0000

Barry, apart from what I documented here, the only other info related to the command can be found here: http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1361648

Comment on 8.0.4 Feature: Persistent IPsec Tunneled Flows by Barry

Barry — Tue, 12 Aug 2008 18:34:32 +0000

Joe,

Thanks, this may resolve a month-long issue I’ve been experiencing with TCP/UDP traffic across a tunnel from a 2821 router to an ASA 5520.

Do you have any more info or documentation for the ’sysopt connection preserve-vpn-flows’ command?

Comment on 8.0.4 ASA Code has posted to CCO by Joe Harris

Joe Harris — Tue, 12 Aug 2008 13:17:03 +0000

Unfortunately the ASA’s roadmap is not publicly available.

Comment on 8.0.4 ASA Code has posted to CCO by Lalufu

Lalufu — Tue, 12 Aug 2008 13:09:11 +0000

Is there a public roadmap for future features in the ASA code?

Comment on iPhone to ISR by Ronald Johns

Ronald Johns — Sun, 10 Aug 2008 20:45:15 +0000

dope! That’s what the CCO doc was about - my bad…

Comment on iPhone to ISR by Ronald Johns

Ronald Johns — Sun, 10 Aug 2008 20:43:59 +0000

I can confirm it works with ASA 8.0(3)…

Comment on New Undocumented 12.4(20)T Feature by Joe Harris

Joe Harris — Sun, 10 Aug 2008 15:05:07 +0000

That’s the correct behavior, this is only available for the onboard built-in interfaces, not for the NM or WIC based interfaces.

Comment on iPhone to ISR by Dave B

Dave B — Sat, 09 Aug 2008 21:02:14 +0000

I can confirm that it works with a VPN 3060 Concentrator as well.

Comment on iPhone to ISR by Brad Hedlund

Brad Hedlund — Sat, 09 Aug 2008 20:31:16 +0000

Joe,
One of my customers is running iPhones on Cisco IOS in production. I was not aware this is not TAC supported. Thanks for the heads up. Seems odd that TAC would not support this. After all, the VPN client on iPhone is not much different than the standard Cisco VPN client for a PC/Laptop.

Brad

Comment on New Undocumented 12.4(20)T Feature by test

test — Sat, 09 Aug 2008 14:09:42 +0000

fyi
working for Gi intrefaces:
C3845 Mother board 1GE(TX,SFP),1GE(TX) and
NM-1GE Port adapter;
Unfortunately, it is not working for
NM-2FE2W_V2 Port adapter.

12.4(20+)T

Comment on iPhone to ISR by Joe H

Joe H — Thu, 07 Aug 2008 15:15:37 +0000

I’ve tested it on the VPN 3005 Concentrator and it works as well.

Comment on ASA 5505 Rack Mount by fshields

fshields — Wed, 06 Aug 2008 20:27:21 +0000

It looks like Cisco has removed it from their website. Not even a global search turns up this product. In the meantime, many vendors have begun listing it with an out-of-stock notice. The retail price is $350!!! Although it is usually discounted to a bargain price of $250

Instead, you should consider a third-party choice for mounting your ASA 5505. Check out this solution (http://www.cablesandkits.com/cisco-asa5505-rack-mount-kit-p-1415.html) and CablesAndKits for a much more affordable $69.95.

Comment on Block IM Traffic on ASA by Joe Harris

Joe Harris — Wed, 06 Aug 2008 18:18:11 +0000

JB,

Google Talk uses tcp/5222. You could apply the following and it should work:

access-list inside_access_in deny tcp any any eq 5222
access-list inside_access_in permit ip any any
access-group inside_access_in interface outside

But you cannot today use AIC to block it only ACL.

Comment on Apple’s iPhone 2.0 to Integrate Cisco VPN Client by Joe Harris

Joe Harris — Wed, 06 Aug 2008 17:59:51 +0000

Mike I’m not sure what your config’s look like but I’ve yet to have a single incident when configuration of the ASA is correct…You are correct about the support on the router side but that’s not say that it doesn’t work … see this post http://6200networks.com/2008/08/05/iphone-to-isr/

Comment on Apple’s iPhone 2.0 to Integrate Cisco VPN Client by Mike Sros

Mike Sros — Wed, 06 Aug 2008 17:48:14 +0000

The Cisco VPN client feature does not work for a majority of setups on the iPhone v2.0.1. It is terrible. None of the Cisco routers (IOS) are supported. Only newer versions of the PIX/ASA software (on certain models nonetheless) are supported. And a limited set of other devices/versions as well. This feature is not ready!

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by JackB

JackB — Wed, 06 Aug 2008 15:40:58 +0000

One comment regards to Juniper NS 5200 and 5400 performance. Claiming something on the datasheets and being able to achieve those numbers are two different things. Also look at the connection per second (CPS) numbers. Good Lord! Even at the datasheet numbers ASA 5580 still has 5 times higher connection setup rate
30K CPS (NS 5200/5400) vs. 150K CPS. Not to mention that the Miercom test showed a significantly higher CPS #s (182K cps vs. 14K). In an environment where connections are short-lived (web?), 14K cps just won’t cut it.

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by John D

John D — Wed, 06 Aug 2008 04:37:01 +0000

http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/netscreen_5200_slash_netscreen_5400/

Here are Juniper’s two competing offerings… The 5200 is supposed to do 10gbps, and the 5400 is supposed to do 30gbps. I would base any throughput findings on a YMMV test, performed with your specific traffic flows.

Cisco *has* impressed me in every way, especially with advertised performance. I used Netscreens for years, since the PIX was getting a little long in the tooth. I would never go back now, especially since there’s finally a standalone ASA that can do more than the meh ~ 1gbps mark. If you use Catalysts, the ACE module also offers amazing in-chassis firewall performance. A large content provider I used to work for is deploying standalone ASA 5580 firewalls (20gbps sites), but I would definitely put the ACE module on my shortlist for any similar deployment.

The ACE modules are 16gbps throughput ea., with up to 4 modules per chassis, and also do load balancing. I knew plenty of people that killed the FWSMs, but I haven’t spoken with anyone that has tapped out an ACE-based chassis.

Comment on Block IM Traffic on ASA by JB

JB — Wed, 06 Aug 2008 04:26:45 +0000

Is there a regular expression or anothe mechaism for blocking Google Talk; without actually blocking access to the Google website?

Comment on ASA - Configure LDAP Authentication for Users by Shiling Ding

Shiling Ding — Tue, 05 Aug 2008 03:26:01 +0000

Hi Joe,

I am interested in Simon’s idea too.

For IPSec RA VPN,
If I have group = group1, group = group2 in ldap, users with these group attributes can connect with group1 profile or group2 profile, but not group3 profile. This will in some way make the group password less “secret” since we can control who can access which profile in LDAP.

If we can accomplish what Simon was interested in. Which profile the anyconnect on the homepage will be using? Is there any way to specify which tunnel-group the web vpn anyconnect will connect to? Will the similar trick for IPSec VPN be able to used on webvpn anyconnect?

Thanks.

Shiling

Comment on Tool: Iperf by triegert

triegert — Mon, 04 Aug 2008 14:04:42 +0000

Not related to throughput testing, but nfdump is a really good netflow tool. We have used it to help create firewall rules for our server networks by querying netflow data with tcpdump-like expressions. Nfsen is a GUI for nfdump for those interested.

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by Ian

Ian — Fri, 01 Aug 2008 18:52:05 +0000

I think Cisco products are excellent and the ASA has really taken their firewall product to the next level but I’m a bit sceptical at how much it’s hammered Checkpoint/Nokia by. Also, Checkpoints management GUI is far better than ASDM in my opinion and I have plenty experience with both. For starters you can’t drag and drop objects in ASDM, aquire an exclusive lock while configuring which causes problems when you have multiple administrators not to mention the fact that the Java front end eats your machines resources.

The test also doesn’t compare the vendors at a suitable level from what I can see. The IBM hardware that checkpioint has been run in comes in at around $3k whereas the ASA comes in at approx $40k.

I must say I was suprised to see such low performance from the Nokia/Checkpoint combo however.

Cisco will dominate the security market in ten years I think but they need to continue to evolve their products. ASDM would be a good place to start. I’m not anti-Cisco, quite the opposite actually, but I do think the test conclusion is very biased.

Thanks for the info, it was a good read!

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by Frank

Frank — Fri, 01 Aug 2008 15:17:38 +0000

Well, you cant really compare the Checkpoint management center with ASDM. Checkpoint management needs its own server (ASDM is a small java applet and is more comparable to a CSM+MARS combo thats in my opinion a better solution overall. Its roughly the same price in some installations and the benefit of MARS included for “free”.

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by JVH

JVH — Fri, 01 Aug 2008 13:58:46 +0000

I agree with Plasma. I haven’t used ASDM in a version or two, but I know at that time the Checkpoint interface was much more intuitive to use. IDS/IPS was clearly an afterthought requiring a completely separate interface. Similarly, the log search and filtering functionality in Checkpoint was straightforward whereas ASDM was somewhat more limited. I hope it’s gotten better. Obviously Miercom thinks it has.

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by Joe Harris

Joe Harris — Fri, 01 Aug 2008 12:56:10 +0000

“but for others a lot of improvement is needed.” and what types of improvements would you suggest?

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by Plasma

Plasma — Fri, 01 Aug 2008 12:47:08 +0000

Any time I see a test report that says, management tools for anything cisco are better than the competitors I am suspect. I will admit and agree the admin interfaces are good for a certain range of customers, but for others a lot of improvement is needed.

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by Frank

Frank — Fri, 01 Aug 2008 03:37:49 +0000

Actually, this time they dont have anything that compares. A couple of my larger customers considering the 5580 as a replacement for existing installations has been told by CheckPoint/Nokia to wait until “Christmas/Spring” timeframe before deciding as they will have new products out by then. As Cisco says though, the 5580 is here now, not in a year or so.

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by George Murage

George Murage — Thu, 31 Jul 2008 07:51:30 +0000

i always wonder about the objectivity of Miercom tests. i am pretty sure that Juniper, Checkpoint and Nokia have their own ‘independent tests’ that show that the converse is also true…. which ends up being very confusing..

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by Frank

Frank — Wed, 30 Jul 2008 23:58:17 +0000

Not so well? Use the “model comparisation” @ cisco.com to see how they compare in performance.

Comment on Tool: Iperf by pello

pello — Wed, 30 Jul 2008 17:57:43 +0000

Hi Joe,

How are you ?

Here’s my list which complete input of others:

- tfgen
- netcps
- pcausa test tcp
- openwebload - http testing
- sipp - sip testing
- DPT - dns testing

Francois

Comment on Cisco ASA 5580 beats Check Point, Juniper, and Nokia in 10 Gbps Firewall Bakeoff by Alan

Alan — Wed, 30 Jul 2008 15:51:00 +0000

I wonder how’s the performance for ASA5520 comparing to ASA5580?

Comment on IOS Zone Based Firewall Configuration by Joe Harris

Joe Harris — Wed, 30 Jul 2008 12:50:10 +0000

Hi Rich, no my CCIE SP took over and I just forgot to write the follow up article. I will start writing the follow up in the next day or so and hope to get it posted soon. Thanks for reminding me

Comment on Cisco IOS Auto-Upgrade Manager by Joe Harris

Joe Harris — Tue, 29 Jul 2008 20:38:05 +0000

Hi Mlitka, your correct the documentation is wrong here again however the command reference has the correct URL listed: http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_a1.html#wp1014042

Comment on Cisco IOS Auto-Upgrade Manager by mlitka

mlitka — Tue, 29 Jul 2008 20:28:33 +0000

Just thought I would pass this along. I was labbing this up this afternoon and the ida url referenced in the CCO instructions apparently has changed. I took a stab at the following at it worked:

https://www.cisco.com/cgi-bin/ida/locator/locator.pl

I removed the ‘new-’ in front of ‘ida’.

Comment on Tool: Iperf by Joe Harris

Joe Harris — Tue, 29 Jul 2008 15:54:44 +0000

Guys thank you for the additional tools, when I get a little more free time I will be more than happy to test them out. Please keep the list of tools coming, this only helps us all. Thanks again.

Comment on Tool: Iperf by slwkk

slwkk — Tue, 29 Jul 2008 08:38:49 +0000

There is kernel space packet generator… you should take a look at:

http://www.mjmwired.net/kernel/Documentation/networking/pktgen.txt

in theory this is the most powerful traffic generator for linux… user space tools will always be slower.

Comment on Tool: Iperf by Joe

Joe — Tue, 29 Jul 2008 05:53:47 +0000

Take a look at tcpbench from OpenBSD.

http://www.openbsd.org/cgi-bin/man.cgi?query=tcpbench&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html

Comment on Tool: Iperf by Joe Harris

Joe Harris — Mon, 28 Jul 2008 23:33:55 +0000

Peter my good man, you beat me to the punch!! That was to be my follow-up post … Your right jperf is the nice GUI front-end that really brings it all together.

Comment on Tool: Iperf by Peter

Peter — Mon, 28 Jul 2008 22:55:24 +0000

Check out Jperf on the same sourceforge page - it is a java front end for Iperf and shows a graph of the throughput per second.

Comment on Listening to EIGRP by Josh Horton

Josh Horton — Mon, 28 Jul 2008 20:13:41 +0000

Thanks Joe! That’s a new one for the tool belt.

Comment on IOS Zone Based Firewall Configuration by Rich

Rich — Mon, 28 Jul 2008 15:31:27 +0000

I can’t find the follow-on post mentioned at the end of this post. Did it ever get written?

Comment on 6200networks on your iPhone or iPod Touch by Binh

Binh — Sat, 26 Jul 2008 11:33:11 +0000

Hey Joe ,

Posting from my iPhone. Looks perfectly fine to me.

Binh

Comment on Introduction to Cisco IOS Software Activation and Licensing Workflows by Ferret999

Ferret999 — Fri, 25 Jul 2008 22:08:30 +0000

Cheers for the reply Joe. Would be good if Cisco release some tool out there although I hope release is not to controlled. Some of us work for companies that do not pay for our training so we have to pay for it all off our own back and so if they could bear people in my position in mind if they do decide to release the emulator that would be great.

Comment on New Undocumented 12.4(20)T Feature by Nikolay Shopik

Nikolay Shopik — Fri, 25 Jul 2008 16:15:25 +0000

Pretty interested findings. I wounder about jumbo frames (never used it still though). Its only supported on Gigabit links with routers?

Comment on Introduction to Cisco IOS Software Activation and Licensing Workflows by Joe Harris

Joe Harris — Fri, 25 Jul 2008 14:33:29 +0000

I won’t comment on Dynamips, but we do have an internal tool and it’s my understanding based on some emails I see flying around as of late that we will be releasing this tool to customers and partners alike in the coming months in a controlled manner like via Cisco Academies and such.

Comment on ASA Compatible with EIGRP Version 3 by priyant

priyant — Fri, 25 Jul 2008 09:17:02 +0000

Any good explanation ?? is there BIG difference between ASA and IOS security ? Why to implement Firewall if router can work as Firewall with security IOS

Comment on Introduction to Cisco IOS Software Activation and Licensing Workflows by Ferret999

Ferret999 — Thu, 24 Jul 2008 21:24:22 +0000

Hi Joe,

What does the new license software mean for Dynamips? Also is it true that Cisco has their own internal emulation software?

Comment on Service Interruption by Binh

Binh — Thu, 24 Jul 2008 19:02:35 +0000

Another recommendation for folks out there is to use opendns as DNS servers for now. More details can be found at http://www.opendns.com/.
Just because you are able to get to the proper sites now doesn’t mean that your provider’s DNS servers are NOT vulnerable/patched.

Joe,
Glad that I was browsing through ur site yesterday. Just tried to increase my chance to win your monthly drawing here!

–Binh

Comment on Block IM Traffic on ASA by Joe Harris

Joe Harris — Thu, 24 Jul 2008 18:44:09 +0000

This could be done if you were allowed to match upon a time-based acl inside the class-map or policy-map however this is not allowed for a type inspect map. We have some newer features that are on the radar that will solve this issue so I’ll keep you posted

Comment on Service Interruption by Nikolay Shopik

Nikolay Shopik — Thu, 24 Jul 2008 17:12:51 +0000

Welcome back online!
And this is one of proof concept to inject some malware to users computer!

Comment on Introduction to Cisco IOS Software Activation and Licensing Workflows by Lalufu

Lalufu — Thu, 24 Jul 2008 10:35:37 +0000

I just hope that getting licenses for IOS will be a faster process than getting licenses for PIX/ASA devices (which could take several weeks in my experience, but I may be doing things wrong).

Comment on Introduction to Cisco IOS Software Activation and Licensing Workflows by Tassos

Tassos — Tue, 22 Jul 2008 06:58:17 +0000

Thanks for the explanation Joe.

I understand that Cisco needs to take care of its IOS intellectual rights, but i don’t find all this IOS activation/licensing easy.

“Cisco makes it easier for customers to deploy, manage, and upgrade their Cisco IOS Software assets”.

I still haven’t tried it, but by only reading/watching it, i felt “tired”. For me it doesn’t seem as easy ‘n’ simple as downloading an IOS from CCO and uploading it on a router.

Let’s hope it’s a move to the correct direction and not something that will be abandoned after 2-3 years…having put into bedevilment a lot of customers.

Btw, does the “sh ver” output display somehow the actual activated feature set?

Comment on Tool - Xobni by jelandry

jelandry — Sat, 19 Jul 2008 05:38:10 +0000

Hey Joe,

I love Xobni…been using it for a while now. Have you seen Launchy? http://www.launchy.net/ Between Launchy and Xobni I no longer run Google Desktop or X1.

Comment on Introduction to Cisco IOS Software Activation and Licensing Workflows by Joe Harris

Joe Harris — Sat, 19 Jul 2008 00:28:50 +0000

Tassos that’s a very good question because this could even happen accidentally (more on this in a sec), if the license is not valid it will fall back to the base level which is IP Base. The switch/router will still boot and function but with only IP Base level features.

There is a new command introduced in 12.4(20)T ‘license expand nvram’ command. Now if you use this command what do think will happen if you hit a bug and downgrade code to a version of code that doesn’t support that command? If a user downgrades to a Cisco IOS image that does not support the licenses or the expand nvram command, all licenses stored in NVRAM will be lost. This will happen even if the image stores licenses in NVRAM and thus you would lose your licensed features which could be advanced ip services or whatever because you’ll back down to IP Base code which doesn’t support the feature…Bottom line…keep a copy of the .lic file

Comment on Daily Trivia - 7/16 by Binh Phan

Binh Phan — Fri, 18 Jul 2008 21:27:31 +0000

Hey Joe,

I’ll take a wild guess here.
“ppp loopback ignore”?
Haven’t configured PPP for the longest time now!
–Binh

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Joe Harris

Joe Harris — Fri, 18 Jul 2008 20:17:25 +0000

Nikolay, 12.5(anything) code will be a while before hitting CCO…Please ask your Cisco SE for further details. IOS Release 12.4(15)T will be a long-lived stability release where regularly scheduled software maintenance rebuilds are planned. So the current recommended release for you would be 12.4T up to 12.4(15)T for new features and hardware support. Again ask your SE for further details.

Comment on Apple iPhone VPN to Cisco ASA by Rodney Jackson

Rodney Jackson — Fri, 18 Jul 2008 19:54:58 +0000

I have successfully connected the iPhone to our ASA 5520. The iPhone sync’ with Exchange correctly, however once we connect another iPhone while the other still has a connection then the traffic will only flow in one direction (from the iphone to the ASA). If I disconnect the first iphone then the traffic will start to flow correctly and any iphone I connect afterward will only communicate in one direction.

Comment on Securing Cisco Unified Communications - Free Computer Based Training by Erin

Erin — Thu, 17 Jul 2008 22:14:19 +0000

This course sounds really helpful, but I also suggest using the Cisco learning network while you’re studying for the certifications. It’s got a lot of up-to-date information and general news about the IT industry which is really usefull even for seasoned professionals. The community forum is a relaly great resource, too.
Check it out:
https://cisco.hosted.jivesoftware.com/index.jspa?ciscoHome=true?utm_source=blog+commenting&utm_medium=media&utm_content=Google&utm_campaign=Domestic

Comment on Block IM Traffic on ASA by quocle

quocle — Thu, 17 Jul 2008 17:14:37 +0000

how to block yahoo from 12h to 13h by ASA? thanks!!!!

Comment on Introduction to Cisco IOS Software Activation and Licensing Workflows by Tassos

Tassos — Thu, 17 Jul 2008 15:52:41 +0000

From http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps9677/whitepaper_cisco_sw_license.html

“When the device is first powered on, the Software Activation License is examined by Cisco IOS Software, which activates the appropriate feature sets.”

What will happen if the License is not valid?

Does this mean the end of dynamips?

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Nikolay Shopik

Nikolay Shopik — Thu, 17 Jul 2008 07:14:35 +0000

Thanks Joe, still think its kind unfair for 850 series(introduced in same time as 870). Will wait 12.5M because 12.4(20)T have big amount of bug fixes we are need to.

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Joe Harris

Joe Harris — Wed, 16 Jul 2008 22:52:59 +0000

Nikolay,

The 850’s are in the same boat as the other routers listed in the product bulletin they were just left off the list by accident:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/product_bulletin_c25_466578.html

Comment on ASA - Configure LDAP Authentication for Users by Joe Harris

Joe Harris — Wed, 16 Jul 2008 21:47:55 +0000

Hi Simon,

I recently configured this up for a customer, give me a couple of days to put everything into a post and I will put a sample of how you can get it done. I’m just VERY busy this week for some reason … Joe

Comment on IOS 12.4(20)T Released by Mike M.

Mike M. — Wed, 16 Jul 2008 08:52:27 +0000

What’s even more important, it has CME 7.0 inside

With just released UCM, UPS, CCX 7.0 beta softwate
we can now upgrade our demo labs SW versions to 7.0

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Joe Harris

Joe Harris — Tue, 15 Jul 2008 22:49:06 +0000

Sure you can view it from there, it’s issuing the ’show’ command from the CLI of the ASA…however try and view it from the Configuration -> Remote Access VPN -> Network (Client) Access -> IPSec Connection profiles page and you will be unable to view it or anywhere else a pre-shared key is listed…I even double checked with the ASDM dev group and they confirmed.

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by FCA

FCA — Tue, 15 Jul 2008 21:03:23 +0000

Joe, are you sure?
Try starting ASDM then click Tools, then select Command Line Interface, then type
more system:running-config | include key
then click button labelled Send.
Now you can see preshared keys in ASDM.

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Nikolay Shopik

Nikolay Shopik — Tue, 15 Jul 2008 20:03:59 +0000

strangely 12.4(20)T still unavailable for 850 series.

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Gjeme Markaj

Gjeme Markaj — Tue, 15 Jul 2008 17:50:40 +0000

Thanks for the tips!

Comment on ASA Interim Code by Joe Harris

Joe Harris — Tue, 15 Jul 2008 03:40:58 +0000

You are running into an active and assigned bug. I verified this earlier…The bug was found internally in 8.0(3)15 by one of our ASA TME’s….Please downgrade to 8.0(3) no Interim Release….I have 8.0(3) running on my ASA’s and I tested, no issue.

Comment on ASA - Configure LDAP Authentication for Users by Simon O'Sullivan

Simon O'Sullivan — Tue, 15 Jul 2008 03:40:21 +0000

Hello guys,

I’m new to Cisco ASA.

I have been looking a similar project as you are working on Matt. I have dual redundant ASA 5510’s ver 8.02, and would like to create a SSLVPN with Bookmarks that would be assigned depending on Active Directoy Group membership.

I.E. the user would logon to the ASA SSVPN web site, the ASA would enumerate the AD groups that user belonged to and if the user was a member of the “RDP to server X” group they would get the bookmark for that (and any other bookmarks that matched a relevant group that the user was a member of)

Has anyone had any luck setting up something like this with ASA?

Cheers Simon.

Comment on ASA Interim Code by FCA

FCA — Tue, 15 Jul 2008 01:09:05 +0000

Joe, many thanks for explain.

My ASA5505 do it as follow:
asa# show parser dump all

Mode Name :exec
15 client-update tunnel-group
15 client-update all
0 help enable
0 help login
[then many other items 0 help ]
0 help import
1 no
1 no debug
1 no debug all
[then many other items 1 no debug ]
[then many other items]
15 debug
0 exit
0 quit
0 logout
0 login

and my ssh session is hung then disconnected.

After that when I log in again command show crashinfo gives to me many pages of text like the following fragment:

asa# show crashinfo
: Saved_Crash

Thread Name: ssh (Old pc 0×08a8bacc ebp 0xd51b9ad8)
Page fault: Address not mapped
vector 0×0000000e
edi 0×092adab2
esi 0xd4c59140
ebp 0xd51b9da8
esp 0xd51b9d90
ebx 0xd4c58970
edx 0xd4c4f660
ecx 0×0878ccb0
eax 0×00000000
error code 0×00000004
eip 0×0879e91a
cs 0×00000073
eflags 0×00013292
CR2 0×00000004

Cisco Adaptive Security Appliance Software Version 8.0(3)19

Compiled on Mon 16-Jun-08 12:38 by builders
Hardware: ASA5505
Crashinfo collected on 02:53:05.494 CEST Tue Jul 15 2008

Traceback:
0: 0805876e
1: 0805a4a9
2: 0892a4e9
3: dd7a76d5
4: dd6a61e0
5: 087a11b3
6: 08789136
7: 0878a0a3
8: 080acff0
9: 080ae24e
10: 080aece9
11: 0805e943
Stack dump: base:0xd51b9ca8 size:1168, active:1168

I presumed that this behaviour is reserved for crashinfo force page-fault. Is this then fault on my hardware?

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Joe Harris

Joe Harris — Mon, 14 Jul 2008 23:28:05 +0000

True, but keep in mind there is no way to see them from the ASDM interface which I think is his issue.

Comment on ASA Interim Code by Joe Harris

Joe Harris — Mon, 14 Jul 2008 23:12:29 +0000

Are you sure because they are very much different…The show parser dump all command is explained here:

http://6200networks.com/2007/11/01/how-to-determine-all-available-commands-available-on-the-asa/

and the crashinfo force page-fault command actually causes the box to forces a crash of the box as a result of a page fault. Here’s the example of the two from my box:

CCIE6200-ASA# sh parser dump all

Mode Name :exec
15 client-update tunnel-group
15 client-update all
0 help enable

….

CCIE6200-ASA# crashinfo force page-fault
WARNING: This command will force a crash and cause a
reboot. Do you wish to proceed? [confirm]:
CCIE6200-ASA#

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by David

David — Mon, 14 Jul 2008 22:49:59 +0000

Gjeme, you can do a ‘more system:running-config’, this will display the passwords in clear text.

David

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Joe Harris

Joe Harris — Mon, 14 Jul 2008 22:41:17 +0000

Gjeme,

You will not be able to view the keys from the within the ASDM application. You can copy the running config to a TFTP server using “write net” and parse through it to get the pre-shared keys or you can access https://IP Address of ASA/admin/config. Those will be the only way you can view the keys.

Comment on 12.4(15)T is last Cisco IOS T Release for Select Cisco Router Platforms by Gjeem Markaj

Gjeem Markaj — Mon, 14 Jul 2008 20:08:55 +0000

Joe,

I recently upgraded my ASAs to 8.0(3) and I noticed that ASDM now stars out your IKE pre-shared keys for remote access VPNs (they used to be in cleartext). Is there any way to retrieve them or see them in cleartext again?

Thanks!

Gjeme

Comment on ASA Interim Code by FCA

FCA — Sun, 13 Jul 2008 13:37:48 +0000

Sorry, I omit the very important info about hardware platform.
I try the above on ASA5505. Please check if your ASA5505 behaves the same. Thanks.

Comment on ASA 5505 Home Config by MIchael Tai

MIchael Tai — Sat, 12 Jul 2008 20:10:54 +0000

Hi Joe,

I have an ASA5505 Base (Version 8.0(3)) for home, and I have Verizon FIOS with dynamic IP address. Would you mind if you could guide me how to update my Dynamic IP from FIOS to http://www.dyndns.com or noip.com.

Below is my current config for ddns update:

ddns update method DynDNS
ddns both
interval maximum 1 0 0 0

interface Vlan 2
nameif outside
security-level 0
ddns update hostname http://username:password@updates.dnsomatic.com/nic/update?hostname=xxx.homeftp.net&myip=
ddns update DynDNS
ip address dhcp setroute

Thanks in advance!

Michael

Comment on 6200networks on your iPhone or iPod Touch by Joe Harris

Joe Harris — Sat, 12 Jul 2008 12:44:17 +0000

If this does not work correctly could someone let me know…I don’t have an iPhone or iPod Touch to test with so I can only go by what Bruce has told me. Cisco issues me a first edition Blackjack and my wife has a Blackberry World Edition so I have no idea what the page even looks like on an iPhone. Or if you have a Mac (I don’t) and you use iPhoney could you send me a screenshot (http://www.marketcircle.com/iphoney/)….Joe, could you send me an email detailing your recommendations. I’d be more than happy to implement them once I knew what the recommendations were and what exactly they accomplished…

Comment on 6200networks on your iPhone or iPod Touch by Joe Mako

Joe Mako — Fri, 11 Jul 2008 21:37:28 +0000

I would recommend you create a PNG format graphic file that’s 45×45 pixels in size, name it “apple-touch-icon.png” and drop it in the root directory of your Web site. An image of your CCIE router would work nicely. And then add to your html.

Comment on ASA Interim Code by FCA

FCA — Fri, 11 Jul 2008 21:31:03 +0000

Joe, please tell me what is the real difference between following commands on ASA 8.0(3) or ASA 8.0(3)19
crashinfo force page-fault
and
show parser dump all ?
For me both of them do nearly the same.

Comment on Daily Trivia - 7/2 by Primus Salters

Primus Salters — Fri, 11 Jul 2008 15:20:13 +0000

First answer is 1 hop, 2nd answer is 255 for multihop

Comment on End-of-Sale and End-of-Life Products by Joe Harris

Joe Harris — Wed, 09 Jul 2008 15:33:02 +0000

It should be fixed now.

Comment on End-of-Sale and End-of-Life Products by Joe Harris

Joe Harris — Wed, 09 Jul 2008 15:30:42 +0000

Sorry, That’s due to my poor programming … I’ll fix it in just a second

Comment on End-of-Sale and End-of-Life Products by TJ

TJ — Wed, 09 Jul 2008 15:04:27 +0000

Just FYI - your link to http://www.cisco.com/en/US/products/prod_end_of_life.html is broken, but thanks for the info!!

/TJ

Comment on Cisco IPICS by Trey Spivey

Trey Spivey — Mon, 07 Jul 2008 02:24:09 +0000

IPICS has allowed the Geogia Forestry Commission to move light years ahead with our communications across the state of Georgia.

Comment on Thoroughly Disappointed by Brad Hedlund

Brad Hedlund — Sun, 06 Jul 2008 22:30:48 +0000

Joe,
I see your point. Its a legitimate complaint. But I still think its nothing to get really disappointed about.

What should really disappoint us is anything that lowers the overall market value and prestige of the CCIE certification itself. This is why I don’t think its a good idea to say to any CCIE (regardless of years certified) that you no longer need to re-certify. As much a I dread re-certifying every two years, when its said and done I come out of it a better CCIE than before and glad that I did it. I would hate for the market perception to be that the older CCIE’s like you and I, while rich with experience, are less skilled, slower, or rustier than the newer ones freshly out of the lab. Even for us old farts its good get back to basics once in a while and taking the written test every couple of years is a great way to do it.

I also think letting your CCIE go inactive is the most lazy and irresponsible thing I have ever heard of. Thats a shame. Those folks will regret that one day.

As for your comment about Networkers, I agree, any non-Cisco employed CCIE’s should still be required to attend at least 3 of the last 5 Networkers. As you well know Joe, working at CIsco is like Networkers every day.

-Brad

Comment on Thoroughly Disappointed by Joe Harris

Joe Harris — Sun, 06 Jul 2008 05:00:57 +0000

Brad, you are absolutely correct however my only reservation regarding all of this is the principal of the representation. What I mean is that the program has stood as the industry benchmark of certifications for more than 10 years now and along with that title represented itself and the people whom attain this level of accreditation with one of most recognized logo’s in all the world, the “golden router.” However the program has undergone significant changes since the days when you and I achieved our numbers (we passed 7 months apart). As an employee of Cisco I guess in retrospect it’s not really my place to complain considering I didn’t have to pay one red cent for either of my last 2 CCIE’s however in everything I do, I try and put myself in the shoes of my customers and relate to the issues that affect them. If I had to come up with $1250.00 (not sure the cost nowadays) plus travel and expenditures for the cost of just sitting the lab, not to mention the astronomical cost of the training materials used to study for the lab, factoring in also the cost of rack rental time or procurement of personal lab equipment I would hope that at the end of my journey Cisco would at least recognize the effort and cost assumed by myself and/or my employer and reward me with something worthy of the status of CCIE. I only took pictures of the plaques, you should see the certificate they sent to me, no kidding my Canon MX850 could have printed a more professional looking certificate than the one I received. Remember the days when you were required as a CCIE to attend networkers? As a triple CCIE I didn’t even get asked to attend by my management…along with many other aspects of the program (the plaque included); the program has changed, for better or worse is left up the individual to decide.

The ten year plaque your customer received is a nice jester (I’ve seen a lot of these plaques and hope to get one in the next couple of years myself) but why has the program not moved to emeritus status for people whom attained the CCIE status for the last 10 years? To myself and every other 10 Year CCIE that I have talked to, that is the right thing to do…a 10 year CCIE has shown their dedication to Cisco, shouldn’t Cisco return the favor? Even after 8 years I still pursued the Service Provider CCIE, not only for the glory of attaining that level of certification but also for the challenge of the certification. It’s still ranks as the certification of choice in the market place no question, I just think that as the program continues to uphold the CCIE as the de facto standard in the marketplace, they should maintain those standards at all levels of the program, the plaque included.

Comment on Thoroughly Disappointed by Brad Hedlund

Brad Hedlund — Sat, 05 Jul 2008 01:46:30 +0000

Guys, come on, really, you don’t do this for the plaque. Who cares how much recognition you get from the CCIE program? It’s meaningless compared to the recognition and respect you get from your employer and customers. They certainly don’t care what your plaque looks like.

Also, one of my customers is a Ten Year CCIE, #2000-something. Anyway, recently he was surprised to see a nice plaque show up in his mailbox from Cisco for reaching his Ten Year milestone. He thought it was great and I thought it was cool too. It showed the CCIE program is still doing some cool things to recognize not just the new CCIE’s, but the old ones too.

My .02

-Brad

Comment on ASA 5505 Home Config by George Sialmas

George Sialmas — Sat, 05 Jul 2008 00:06:56 +0000

Hi Joe,

I’m interested in Purchasing a Cisco ASA 5505 for home use.
Can you please explain to me what is the benefit of having the above device configured for home use? At the moment I have a cable internet connection, and I have my cable modem connecting to a Netgear RangeMax WPN824 wireless router. I have my PC connecting to the Netgear router using a wired conncection. Can I use the Cisco ASA in conjuction with my current home internet wired/wireless setup I have at home? Would the Cisco ASA make my home network more secure from the outside internet world?

Thanks in advance.

Comment on Thoroughly Disappointed by Tassos

Tassos — Fri, 04 Jul 2008 06:53:50 +0000

Joe, it’s interesting to see someone having all the different plaques.
That way you can very easily spot their differences.

And as it seems, a lot of people feel disappointed by the new plaque.

Comment on Thoroughly Disappointed by Joe Harris

Joe Harris — Thu, 03 Jul 2008 16:53:24 +0000

A perfect example that echo’s your statements:

http://blog.ioshints.info/2008/07/why-im-no-longer-active-ccie.html

http://ardenpackeer.com/blog/blog-cisco-the-new-ccie-plaques-suck/

Joe

Comment on Thoroughly Disappointed by Joey

Joey — Thu, 03 Jul 2008 16:34:24 +0000

You’re not the only one feeling as such. Seems most of those who’ve had their CCIEs are slowly but surely feeling like Cisco is not giving them quite as much appreciation as they once did.

For the new and future guys, they all look magnificent

Comment on Daily Trivia Answers by Joey

Joey — Thu, 03 Jul 2008 13:48:17 +0000

Thanks Joe, much obliged!

Comment on Daily Trivia - 7/2 by Joe Harris

Joe Harris — Thu, 03 Jul 2008 12:14:19 +0000

Joey, I like the consolidated monthly summary…I’ll put this together this morning and I will also create an email reminder to do this monthly…but if I forget (been known to happen before) please remind me ;-).

Comment on Introducing the NEW CCNA Concentrations: Voice, Security, and Wireless by Jamie Adams

Jamie Adams — Wed, 02 Jul 2008 17:29:47 +0000

Also as a heads up - Cisco Press has new products for the new CCNA concentrations just announced by Cisco. Read sneak peak chapters or read the social media release here: http://tinyurl.com/3sw3yp.

Comment on Daily Trivia - 7/2 by Joey

Joey — Wed, 02 Jul 2008 16:58:14 +0000

Would nice to see answers posted at some point (end of month summary or something like that).

Comment on Cisco’s ‘Second Chance’ promotion! by Joe Harris

Joe Harris — Wed, 02 Jul 2008 12:47:05 +0000

Eric, It’s my understanding this includes all of them…here is the direct link: http://www.vue.com/cisco/secondchance/

Comment on Cisco’s ‘Second Chance’ promotion! by Eric

Eric — Wed, 02 Jul 2008 12:12:35 +0000

Hi Joe,

what exams do this promotion include?

Thanks.
Eric

Comment on Cisco IOS Auto-Upgrade Manager by Falbuq

Falbuq — Tue, 01 Jul 2008 16:17:12 +0000

Having worked for Cisco for a number of years in Remote Operations Services I just wanted to mention that Cisco prefers that Cisco ROS not be called CROS. It should be referred to as CISCO ROS. Just a minor correction - no mud involved.

Comment on Can the Tx-Ring be modified on the 2800? by Ivan Pepelnjak

Ivan Pepelnjak — Tue, 01 Jul 2008 08:48:00 +0000

And here’s a longer TX-ring story:

http://wiki.nil.com/Queuing_Principles_in_Cisco_IOS#Where_to_Queue
http://wiki.nil.com/Queuing_Principles_in_Cisco_IOS/Tx-ring-limit

I might have to reword the article … it does not explain all the HW details that I had to figure out from the hardware specs

Comment on Cisco IPICS by Joe Harris

Joe Harris — Sat, 28 Jun 2008 13:03:53 +0000

Trey I can definitely ask around and get you some names from customers that have deployed 2.0. I persoanlly don’t have any off hand because I’m removed from that vertical within Cisco that handles the IPICS stuff (Public Sector). I’ll ask around and shoot those to you offline.