Category: Cisco

Always Flush when your done!!!

One of my clients has had their web server exposed to the wild world of the internet now for several years. Up till about a year and a half ago many systems on their network actually had IP ANY ANY statements cut through from the Outside of their Firewall to the Inside. However it has been one of my many jobs since I started with them to eradicate these problems and start securing their infrastructure. The firewall changes have been easy for the most part and any problems that remain are policy issues that we are working to eliminate. However their web server sitting outside of the firewall has been an ongoing issue and due to some anomaly’s on the server they are deploying the recommended DMZ and migrating their web server there. Read more

Upon us all a little rain must fall.

Led Zeppelin said it best I guess.  This past week Ohio along with lots of other states got hit with the remains of hurricane Dean.  So far it has been the most damaging storm for my clients in my short consulting career.  The first call came on Tuesday morning August 21st.  That call was from one of our account managers who indicated a client had sustained catastrophic damage to their 6509 when water rushed into their core network closet.  My first two thoughts were how quickly can we get replacement hardware and how long should it take for me to get them back up and going? Read more

The King has left the building…err…the web. (Final Update)

Thats right kiddies. is off line. I have a pending case with TAC in which I was supposed to download files with special access. Stay tuned for that story later. However as I tried to get the files all my attempts to contact anything off of the Cisco main page game up dead. I confirmed this from an iPhone on AT&T m XV6700 on Verizon as well as a network off of the State of Ohio Backbone. With my homework done I contacted an engineer at Cisco who confirmed…” Yep we are down…not one of our best days. We should be back online sometime later tonight. My engineer is in the eastern time zone with me and it was 3pm when he told me this so sounds like the are on the mat for a few more hours. Not sure what the problem is or how wide spread, but I’ll wager that this costs someone their job and Cisco allot of money. Read more

Bridge Building Geek Style

One of the Cisco Sales reps I work for called me a few months back and said hey why don’t we use a Cisco Wireless setup and client X to save them a bunch of money? My reply was…crap why didn’t I think of that followed by sure let me get to working on it. In the end we provided a solution that used Cisco 1240 A/G radios, two 5Ghz Point to Point panel antennas. We also got to use the 2.4 Radios for WiFi access on the insides of the buildings that the 5Ghz bridge was serving. Currently I am completing the config but once I have it all done I am going to post the juicy bits (sanitized to protect the client of course) as well as a few pics if the client will permit me to do so.

My company has done quite a few of these in the past. However this was my first go at a Wireless bridge setup. As usual with new projects I was a bit nervous but in the end I have been amazed at how smooth the whole thing went. Wireless connectivity has really jumped a level in my mind now. It was interesting though when I called one of our designers and then one of our engineers and asked “so now that my link is up how do I test the link quality and speed?” The answer was I’m really not sure they just work. For the moment I accepted the answer but in the end I have been troubleshooting a few things and I added my question to the list of things I wanted to solve by the time I handed it off to the client. Read more

Digital Demons, lets cast them out of our digital homes.

Back on March 19th of this year I posted, “Three weeks in two, bah who needs sleep.”, I must have lied because between those two weeks and the subsequent crazy weeks following I pretty much fell off the map. During the aforementioned two weeks though I visited Ottawa, Canada for Sales and Engineering training for CryptoCard. For me trips like this are exciting not for the trip but for the time I get to spend with other professionals learning, hanging out and passing on our tricks to each other. During a break on the training routine our instructor Patrick posed a question something to the affect of; if we don’t like spam and attacks and we know that 20 to 30% of all spam and attacks come from North Korea and China then why don’t we block them at the edge? Read more

ASA VPN Commands to Remember

From time to time I’ll just post these quick little snippets of code. Honestly, this is so I have a reference for them in the future. This set comes from troubleshooting why my VPN would connect but not allow me to see the networks I had allowed in my VPN GROUP ACE.

This command allows the ASA to detect VPN clients behind NAT device’s and encapsulates the traffic into UDP on port 4500. Click on the command to see the detailed description and usage of this command.

crypto isakmp nat-traversal 20

sysopt connection permit-vpn

Cisco PIX to ASA not what it seems.

We I am still behind in getting configs published. But please know that they are coming. This is a hobby for me and like most hobbies it is lower in my priority queue than work and family. One of the items that took priority this week was a conversion from a pair of PIX 515sto ASA-5540s with AIP-20s.

I learned a lot about traffic, hardware limitations and marketing with this project. This whole project started shortly after an upgrade from a DSL to their upstream provider to a 100 Mbit Circuit. Along with the circuit upgrade they customer also started using a WebApp provided by their upstream provider that generated alot of connections but not allot of bandwidth. To make a long story short we ended up having sudden outages that would come and go with no explanation…that is until I checked the connections on thier PIX 515. During outages they were running between 148,000 to 160,000 connections and their pic was designed to handle 120,000. We could have performed connection tuning on the PIX but the client was ready to move on to an ASA. Read more