Archive for category Cisco
Website Filtering Policy
regex myspace "[Mm][Yy][Ss][Pp][Aa][Cc][Ee].[Cc][Oo][Mm]"
regex facebook "[Ff][Aa][Cc][Ee][Bb][Oo][Oo][Kk].[Cc][Oo][Mm]"
class-map type regex match-any DomainBlockList
match regex facebook
match regex myspace
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
policy-map type inspect http Blockwebsites
parameters
protocol-violation action drop-connection
class BlockDomainsClass
reset log
policy-map Block_policy
class inspection_default
inspect http Blockwebsites
service-policy Block_policy interface inside
Configure ASA/Pix To Use 2008 RADIUS
ASA Commands to enable VPN Client RADIUS authentication.
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.200.156
key cisco123
tunnel-group vpnclient general-attributes
authentication-server-group RADIUS
How To Configure Client IPSec VPN Access To Remote Sites Through Existing Lan-to-Lan VPN Tunnels
I was finally able to get Client VPN access to remote networks with the configuration below. The configuration changes below assume the VPN Client is configured already and functional. It also assumes that the Lan-to-Lan VPN from (Main) to (Remote) has been setup and is functional.
Main Location Internal Network – 10.0.0.0/8
Remote Location Internal Network – 192.168.2.0/24
Client VPN IP Network – 192.168.10.0/24
ASA 55xx (Main) – VPN Clients Terminate Here
!— Allow traffic to enter and leave the same interface
same-security-traffic permit intra-interface
!— Client VPN IP Pool
ip local pool IPPool 192.168.10.1-192.168.10.254
!— Split Tunnel for Client VPN and Remote Local Network
access-list SplitTunnel extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
!— Access list for Client VPN and Remote Local Network
access-list RemoteVPN extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
Pix/ASA (Remote) – VPN Clients need access to this network
!—No NAT for Remote Local Network and Client VPN
access-list NoNAT permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
!— Access list for Remote Local Network and Client VPN
access-list Main permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
How To Perform A Cisco IOS Warm Upgrade And Reload To Minimize Downtime
The warm reload feature of the Cisco IOS was offered in IOS version 12.3(2)T.
How to perform a warm upgrade in the Cisco IOS
Use the reload warm file command, like this:
Router# reload warm file tftp://1.1.1.1/c2800nm-advipservicesk9-mz.124-15.T5.bin
This command actually has a number of options such as scheduling and creating a comment:
reload [/verify | /noverify] [warm [file url]] [in [hh:]mm | at hh:mm [month day | day month
The job of the warm reload feature is to allow you to reload your routers without having to read the IOS image from flash.
How do you use warm reload in the Cisco IOS?
The job of the warm reload feature is to allow you to reload your routers without having to read the IOS image from flash.
You can configure the warm reboot functionality with the warm reboot global command, like this:
Router(config)# warm-reboot 10 uptime 10
This enables the router to reboot a maximum number of 10 times using the warm reboot function and ensures that the router will sit for no more than 10 minutes after an attempted warm reload that doesn’t result in a successful boot. Next, you must do one clean, cold reload of the router. After that, you can use the reload warm command to quickly reboot your router.
You can also use show warm-reboot to find the statistics concerning how many warm reloads have happened and how much space is taken up by warm reload storage.
How To Recovery A Lost Cisco Router Or Switch Password
1. power off and back on the device
2. hold down control and hit BREAK (may have to do this a few times)
3. Once you are at the rommon> prompt, type confreg.
4. Say “n” to all options except this one:
enable “ignore system config info”? y/n [n]: y
5. Say “n” to all other options
6. once back at the rommon prompt, type reset
7. the device will reboot
8. Once the device is booted, you will know that you are bypassing the config because you will be asked this question (say no):
Would you like to enter the initial configuration dialog? [yes/no]: no
9. Once booted, if you do a show version, you will see that your config register is 0×2142.
10. Now, you can either go to enable mode and do a show startup-config to see what the enable password is OR, if you have an enable secret password set, you can replace it by doing a copy start run, then going into global configuration and creating a new enable secret with enable secret cisco, then copy it back with copy run start.
11. Now, you want to change the config register back. In global configuration, type config-register 0×2102
12. save your configuration with wr or copy run start
QoS For Shoretel VOIP, Citrix, and Other Traffic Example
ip access-list extended Priority
Remark Citrix Ports
permit tcp any any eq 1494
permit udp any any eq 1604
Remark ShoreTel Director Server
permit tcp any any eq 111
permit udp any any eq 111
permit udp any any eq 2727
permit udp any any eq 5440
permit udp any any eq 5441
permit udp any any eq 5442
permit udp any any eq 5443
permit udp any any eq 5445
permit udp any any eq 5446
permit udp any any eq 5004
class-map match-any VoIP
match protocol rtp audio
class-map match-any Priority
match access-group name Priority
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3
policy-map QoS
class VoIP
priority percent 30
set dscp ef
Class Priority
bandwidth remaining percent 40
set dscp 34
class WebEmail
bandwidth remaining percent 15
set dscp 26
class class-default
fair-queue
interface Serial0/1/0
ip address 192.168.1.1 255.255.255.252
ip nbar protocol-discovery
service-policy output QoS
Performing Password Recovery For The ASA 5500 Series Adaptive Security Appliance
Step 1 Connect to the security appliance console port.
Step 2 Power off the security appliance, and then power it on.
Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.
Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:
rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:
Current Configuration Register: 0×00000011
Configuration Summary: boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 5 Record your current configuration register value, so you can restore it later.
Step 6 At the prompt, enter Y to change the value.
The security appliance prompts you for new values.
Step 7 Accept the default values for all settings, except for the “disable system configuration?” value; at that prompt, enter Y.
Step 8 Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
Step 9 Enter privileged EXEC mode by entering the following command:
hostname> enable
Step 10 When prompted for the password, press Return.
The password is blank.
Step 11 Load the startup configuration by entering the following command:
hostname# copy startup-config running-config
Step 12 Enter global configuration mode by entering the following command:
hostname# configure terminal
Step 13 Change the passwords in the configuration by entering the following commands, as necessary:
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5. 0×1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.
Step 15 Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
AnyConnect VPN Config Example
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 1
svc enable
tunnel-group-list enable
*** Will configure the ASA to autorun the SSL vpn client
group-policy AnyConnectGroup internal
group-policy AnyConnectGroup attributes
wins-server value 10.0.0.10 10.0.0.11
dns-server value 10.0.0.10 10.0.0.11
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
OR
*** Will configure the ASA to direct clients to the AnyConnect Web Interface
group-policy AnyConnectGroup internal
group-policy AnyConnectGroup attributes
wins-server value 10.0.0.10 10.0.0.11
dns-server value 10.0.0.10 10.0.0.11
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool IPPool
default-group-policy AnyConnectGroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
Disable Second Level Authentication On IPSec Client VPN
Ver 8.x – tunnel-group CLIENTVPNGROUPNAME ipsec-attributes
isakmp ikev1-user-authentication none
Ver 7.x – tunnel-group CLIENTVPNGROUPNAME general-attributes
authentication-server-group none