The difference between Identity NAT and NAT Exemption

According to the Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance book, “The main difference between identity NAT and NAT exemption is that with identity NAT, the traffic must be sourced from the address specified with the nat 0 statement, whereas with NAT exemption, traffic can be initiated by the hosts on either side of the security appliance. NAT exemption is a preferred method to bypass traffic when it is flowing over a VPN tunnel.”

So, what does this mean really?
Read more…

Delivering Voicemail to Email as Attachments with Cisco Unity Connection 8.5

As a Network Engineer, I usually have multiple people trying to get a hold of me at the same time. It’s difficult to manage all the methods of communication these days. There is voice mail, email, instant message, phone calls, cell phone calls and someone physically being at your desk. When I get the opportunity to unify any of these methods, I’ll jump at the chance!
Read more…

Default Configuration of a Cisco ASA 5510 running 8.2(5)

I’ve sometimes looked for this when I am dealing with a ASA that is already configured. It is useful to see what the default configuration is on an ASA. The default password is no password. When prompted for a password, hit enter for access.

ciscoasa# show run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:804031d1aeddcd0b07051e5ac29dec2e
: end
ciscoasa#

Card type Preprovisioning

When installing a VWIC2-2MFT-T1/E1 card, you must provision what the card will do before configuring it. With this particular card, you could provision it as a T1, E1 or PRI depending on the clients requirements. The card command is used to accomplish this.

Prior to provisioning, a show run outputs the following:

boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/0
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/2
logging buffered 51200 warnings
!

It’s easy to see there is a problem. In addition to the errors in the configuration, no controllers or serial interfaces are seen. In our scenario, we needed to configure this card as a T1 so we issued the following command:

router(config)# card type T1 0 0
router(config)# card type T1 0 1
router(config)# card type T1 0 2

The numbers at the end of the command specify your slot and subslot. After issuing these commands, we can see that the T1 controllers are now present in the running configuration:

controller T1 0/0/0
 cablelength long 0db
!
controller T1 0/0/1
 cablelength long 0db
!
controller T1 0/1/0
 cablelength long 0db
!
controller T1 0/1/1
 cablelength long 0db
!
controller T1 0/2/0
 cablelength long 0db
!
controller T1 0/2/1
 cablelength long 0db

Now that the controllers are created and we look at the running configuration, we still can’t see any serial interfaces. This is because being a multiflex card, we have to create the appropriate channel-group or pri-group. We are termianting a T1 so we will issue the following command under the controller:

router(config-controller)# channel-group 0 timeslots 1-24

After this command is issued, a new serial interface is created that is available for configuration. You have successfully configured the VWIC2-2MFT-T1/E1!

IOS Upgrade on a Cisco 3560

When I finished with the Cisco Networking Academy, I learned that upgrading an IOS was as simple as copying the new IOS .bin file to the flash drive of the device you are upgrading. At my first job working with actual Cisco devices, I was tasked with upgrading a 3560. The problem was that the IOS downloaded from Cisco was a .tar–not .bin like I had seen before. This is when I learned that there are two main methods to upgrading your IOS devices.

When you download an IOS from Cisco, some version include extra files in the package such as an SDM interface. Instead of packaging everything individually, Cisco creates a tar file with all the files. Alternatively, if you don’t need all the extras, Cisco can provide a single .bin as well or you can extract the .bin from inside the .tar.

If you decide to use the tar file, upgrading the IOS is simple. From priviledged mode, simply enter the follow commands:

Switch# archive download-sw /overwrite /reload tftp://10.10.1.27/c3560-ipservicesk9-mz.122-55.SE3.tar

Let’s break down this command. First, we are using the archive command. Since we are using a .tar file (an archive) we need to decompress the file to the local flash memory. Second command is download-sw. This is just to indicate that we are going to download software instead of upload it (there is also a upload-sw command). Next, we tell IOS to overwrite the existing image. You may or may not have enough room in flash to hold multiple images. Finally, we specify the location of the new image. In this case, I have it on a TFTP server on 10.10.1.27. Cisco makes it easy and allows you to download the file, uncompress it, and reload the switch with one command.

Once this command is run, IOS downloads the file, deletes your existing IOS, extracts the files in the .tar on to flash and reloads the system. When the system finishes starting up, your IOS upgrade is complete! You can verify this with a show version.

Last night, I had to upgrade the IOS on the 3560 but I only have a .bin file. In this case, it was similar to upgrading an IOS on a router. All you have to do is simply copy the .bin file to the flash directory and set the boot variable.

Switch# copy tftp://10.10.1.27/c3560-ipservicesk9-mz.122-55.SE3.bin flash:c3560-ipservicesk9-mz.122-55.SE3.bin
Switch# 
Switch# boot system flash:c3560-ipservicesk9-mz.122-52.SE.bin
Switch# 
Switch# copy running-config startup-config
Building configuration...
[OK]
Switch# 
Switch# show boot
BOOT path-list      : flash:c3560-ipservicesk9-mz.122-52.SE.bin
Config file         : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break        : no
Manual Boot         : no
HELPER path-list    :
Auto upgrade        : yes
Auto upgrade path   :
Timeout for Config
          Download:    0 seconds
Config Download
       via DHCP:       disabled (next boot: disabled)
Switch# 
Switch# reload

We first copied the IOS to the local flash and then we configured IOS to use the new IOS. We saved our changes and verified them with a show boot command. After a reload, the switch will use the new IOS.

TIP: Always backup your current IOS. Using the copy command, copy it from the flash to your tftp in case you need to rollback. In addition, once the system has started, you are able to delete the .bin file from the flash without problems. This is useful when you have an existing image that is taking up most of the room on your flash and you are copying a new one that requires more space than you have available.

Enabling ssh on a Cisco ASA

Enabling SSH on a Cisco ASA is not as easy as it might seem. On first look, you would think using just the “ssh <network> <subnet> <interface>” would do the trick but there are 2 more commands that are needed.

In my specific scenario, I needed SSH access to a Cisco ASA from the 10.10.1.0/24 subnet. First thing I did was create a local user name and password and enable ssh:

username jmartinez password Cisco123!
ssh 10.10.1.0 255.255.255.0 outside

Trying to connect, PuTTY tells me “Server unexpectedly closed network connection”. Something is missing! I enabled ssh debugging with the command “debug ssh” and received the following debug when I tried to connect:

ASA# Device ssh opened successfully.
SSH0: SSH client: IP = '10.10.1.27'  interface # = 1
SSH: unable to retrieve default host public key.  Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"
ASA#

A useful debug log?! It’s obvious from above that I don’t have an RSA keys in order to encrypt traffic. So I issue the following command to generate a key:

ASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA(config)#

Excellent! Now when I try to reconnect, I get a connection with the following debugging lines:

Device ssh opened successfully.
SSH0: SSH client: IP = '10.10.1.27'  interface # = 1
SSH: host key initialised
SSH: license supports 3DES: 2
SSH: license supports DES: 2
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.99-Cisco-1.25
SSH0: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-PuTTY_Release_0.60
client version string:SSH-2.0-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 3030 ms
SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS received

When I type in an existing username / password that is on the ASA already, I get access denied. Debugging shows:

SSH(jmartinez): user authen method is 'no AAA', aaa server group ID = 0
SSH2 0: authentication failed for jmartinez

It looks like we don’t have an AAA method setup. I want to use the local user database. Let’s configure that:

ASA(config)# aaa authentication ssh console LOCAL

Now when I connect, I am able to login successfully. Here is the debug log for a successful connection:

SSH(jmartinez): user authen method is 'use AAA', aaa server group ID = 1
SSH2 0: authentication successful for jmartinez
SSH2 0: channel open request
SSH2 0: pty-req request
SSH2 0: requested tty: xterm, height 24, width 80
SSH2 0: shell request
SSH2 0: shell message received

Transfer to Voicemail

One common function of phone systems is having the ability to transfer calls to someone’s voicemail box. By default, there isn’t a feature that’s part of a CUCM and Unity integration that allows you to transfer a call to voicemail. You have to transfer the call to their extension and the call would ring until one of your Call Forward settings sends the call to their voicemail box. Alternatively, you could place the call on hold and navigate your voicemail system until you reach the destination box and transfer the call.

Both of these examples introduce unwanted delay and may frustrate the caller. By introducing this Transfer to Voicemail feature, you can allow for the quick transfer of calls.

You can setup Transfer to Voicemail function using the following steps:

1. Create a new Voice Mail Profile by going to Voice Mail > Voice Mail Profile and clicking Add New in Cisco Unified CM Administration.
2. Assign the new Voice Mail Profile something descriptive such as “TransferToVM”, assign your existing VM Pilot to Voice Mail Pilot and assign it a mask of XXXX (assuming a four digit dialplan, use sufficient wildcard characters to cover yours). Click Save.
3. Create a CTI route point by going to Device > CTI Route Point and give it Device Name that you gave your Voice Mail Profile that you created in step 2. This isn’t necessary but helps you tie the  the profile and the route point together. Assign it an appropriate CSS, Partition and Location attributes. Click Save.
4. Once you save the route point, you are able to assign an extension to it. If you use 4 digit dialing, use the Directory Number of *XXXX (similar to step 2, use sufficient wildcard characters to cover your dialplan). Under the DN Properties of *XXXX, assign the Voice Mail Profile that you created in the previous step and check the Voice Mail check box under Forward All. Click Save and reset the CTI RP.

Following these steps, you should be able to dial *+DN and directly reach that extensions voice mail box.

DSP Simplified

DSPs, or Digital Signal Processors, are specialized chips designed to process a digital signal. DSPs are used in Cisco routers to perform transcoding, conferencing and MTP. In the Cisco voice world, they are used extensively and understanding how they work and how many you need is important. Read more…

Start Securing Your SNMP

A lot of companies use SNMP to monitor their devices. If your devices and software support it, it’s best to use SNMPv3 because of it’s authentication and encryption capabilities. With traditional SNMP, your community string is transmitted in plain text. This would allow an attacker to sniff your traffic, retrive your string and be able to query your devices for information.

Configuring SNMPv3 is a snap! I recommend using a password generator to generate your SNMPv3 usernames and passwords. The website I use is http://www.testyourpassword.com/. I then use http://www.passwordmeter.com/ to check the strengh because it provides you with a report of complexity. I would alter the password until you receive 100% score with all expectional in the additions section and 0 deductions. Although it’s a good idea to generate a complex username and password for each device, your network management software may not allow you to configure creditionals for each one in which case, you’ll have to make do with only one.

Now, the first thing to do is remove snmp from your current config. I can’t show you how to do this because its specific to each device because of configuration diferences. It doesn’t do any good to configure SNMPv3 and leave SNMPv1 or SNMPv2c running also.

Once you have disabled SNMPv1 and SNMPv2c, you must create a SNMPV3 group. You can do this with the following command:

     Router(config)# snmp-server group AUTHPRIV v3 priv

AUTHPRIV is the name of the group and can be anything you want to use. By stating “priv” we are telling the router we want to authentication AND encryption. There are other modes but this article will not go into them.

Once you have created the group, we need to create users. To do this, type:

     Router(config)# snmp-server user SNMPV3 AUTHPRIV v3 auth md5 <username> priv des56 <password>

This command makes a user named “SNMPV3″ in the group “AUTHPRIV” using md5 for authentication and uses DES 56-BIT encryption for the packets.

That’s it!

This article breifly discuess SNMPv3 and its capabilities. If you NEED to use SNMPv1 or SNMPv2c, I recommend not using SNMP RW strings, using different complex strings (if possible, No Private or Public strings), and using ACL’s to prevent unauthorized access.

The configuration show is a basic configuration. There are many more options that can be used. For more information see: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html#wp1001086

Interface Macros

A great way to logically organize your ports is define interface macros. For example, assume that you use ports 30-48 for your servers. These servers should have their switch ports configured alike. You could define a macro to group these logically. When you do this, you are allowed to call the interface range command with a name.

Here’s how it works:

define interface-range macro-name type module/number [, type module/number ...] [type module/first-number - last-number]  [...]

Although this command looks daunting at first, it’s not.

In our case, we would simply use:

     switch(config)# define interface-range SERVERS FastEthernet0/30 – 48

Although this example only has one range, you could add a comma at the end and note another range. We are now allowed to use the name SERVERS as an interface range. This shown below.

     switch(config)# interface range macro SERVERS

     switch(config-if-range)#

As you can see, when configuring a large number of ports, this command can be very useful. I personally think it’s a good way to label ports. In the future you could see these definitions in your configuration.