Friday, June 19, 2009

Configure SSH on Cisco Routers and Switches

hostname ernie
ip domain-name rtp.cisco.com
username cisco password 0 cisco

line vty 0 4
login local
transport input ssh

Generate SSH Key:

cry key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2

show cry key mypubkey rsa command must show the generated key

For more information:

Configure Cisco ASA Failover on Management Interface

I sometimes like to configure failover across the management interface so that I don't have to use up one of the other physical interfaces for the failover link.

Primary Unit:

failover
failover lan unit primary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

Secondary Unit:

no failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

When you are ready to pull down the config from the primary issue the failover command.
Replication should begin and the active light on your secondary asa should turn to orange indicating successful secondary status.

Use the show failover command to verify the failover status.

For more information:

Friday, June 12, 2009

Cisco ASA AnyConnect SSL VPN Base Configuration

ip local pool WebVPNPool 192.168.10.10-192.168.10.100 mask 255.255.255.0

webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
svc enable
tunnel-group-list enable

group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol svc
group-lock value WebVPNAccessProfile
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value business.local
address-pools value WebVPNPool
webvpn
svc ask none default svc
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable

tunnel-group WebVPNAccessProfile type remote-access
tunnel-group WebVPNAccessProfile general-attributes
default-group-policy WebVPNPolicy
tunnel-group WebVPNAccessProfile webvpn-attributes
group-alias WebVPN enable

For more information:

Cisco Switch Private VLAN (PVLAN) Configuration

PVLAN Background:
PVLANs provide layer 2 isolation between ports within the same broadcast domain. They can be configured on a Layer 2 or 3 switch.

Please check Cisco's Private VLAN Catalyst Switch Support Matrix to see if your switch supports PVLANs.

PVLANS include three types of ports:
Promiscuous ports - can communicate with all interfaces.
Isolated ports - have complete Layer 2 separation from the other ports within the same PVLAN. Isolated ports can communicate only with promiscuous ports.
Community ports - communicate among themselves and with their promiscuous ports.

Private VLAN ports are associated with a set of supporting VLANs that are used to create the private VLAN structure.
A private VLAN uses VLANs three ways:

Primary VLAN carries traffic from promiscuous ports to isolated, community, and other promiscuous ports
Isolated VLAN carries traffic from isolated ports to promiscuous ports
Community VLAN carries traffic between community ports and to promiscuous ports. You can configure multiple community VLANs in a private VLAN

The following ports are allowed to communicate with each other with the configuration below:
These 3 ports can communicate with each other: Gig2/2 (community 100), Gig2/3 (community 100), Gig2/1 (promiscuous)
These 3 ports can communicate with each other: Gig2/4 (community 200), Gig2/5 (community 200), Gig2/1 (promiscuous)
These 2 ports can communicate with each other: Gig2/6 (isolated), Gig2/1 (promiscuous)
These 2 ports can communicate with each other: Gig2/7 (isolated), Gig2/1 (promiscuous)


Switch(config)#vlan 100
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 86
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 100,200,86
Switch(config-vlan)#exit

Switch(config)#interface gig2/1
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#private-vlan mapping 10 100,200,86

Switch(config)#interface range Gig2/2 - 3
Switch(config-if-range)#switchport private-vlan host-association 10 100

Switch(config)#interface range Gig2/4 - 5
Switch(config-if-range)#switchport private-vlan host-association 10 200

Switch(config)#interface range Gig2/6 - 7
Switch(config-if-range)#switchport private-vlan host-association 10 86

Cisco PIX configuration for logging to a Syslog server

logging on
logging standby
logging timestamp
logging trap notifications (or warnings - notifications will send a ton of info)
logging facility 18
logging host inside/outside ip address
logging device-id string name (tags messages by name so easy to see where they came from in syslog)

Logging severity levels:

emergencies (0)
alerts (1)
critical (2)
errors (3)
warnings (4)
notifications (5)
informational (6)
debugging (7)

The higher the level, the more messages (and types of messages) that are generated.

Refer to Messages Listed by Severity Level for a list of the log message generated at each severity level.

Connecting US Robotics Modem to Cisco Router for Out-of-Band Management

56K* V.92 External Modem + Fax DIP Switches:


By default: 3,5,8 ARE DOWN (ON)

To use with Cisco: 1,4,6,8 ARE DOWN (ON)

INIT String for 56K* V.92 External Modem + Fax to get them working with Cisco: at&f0qle0s0=1&b0&n6&u6&m4&k0&w