StaticNAT

Over the last two years I have become quite the Mac/OSX fan.  For years I was down on apple and to this day think I had every right to be.  But with OS 10.4 and now 10.5 they have created a powerful and flexible unix distribution for the general user and the power users.  However I have from time to time notices funky issues with software such as the Cisco IpSec VPN client.

Most recently in 10.5.1 I kept getting the VPN subsystem could not be contacted.  Well here is the fix from nate,

“If you are running Cisco’s VPNClient on Mac OSX, you might be familiar with (or tormented by) “Error 51: Unable to communicate with the VPN subsystem”. The simple fix is to quit VPNClient, open a Terminal window, (Applications -> Utilities -> Terminal) and type the following:

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

and give your password when it asks. This will stop and start the “VPN Subsystem”, or in other words restart the CiscoVPN.kext extension.”

Thanks Nate and I hope this help everyone else out there keep their WARP core under control….later!

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

I have been doing alot of reading lately about network monitoring, IDS, network problem diagnosis and other such topics. Out of that reading I have been picking up on something that was totally left out of my education in the finer arts of networking. That something is the necessary use of network TAPS for full visibility of of traffic in a structured switched Ethernet network. I plan on discussing that issue more in the near future. But on the front end I have discovered the need to use the existing SPAN and port mirroring options to get a better view on a highly VLAN’d environment. This article from NetworkIntrusion was just what the doctor ordered. So until I can get my hands on some TAPS and get some articles out about how they have revolutionized my troubleshooting methodology I hope this use of tried and true tools for monitoring switches helps.

I was on a client site about a month ago finishing an ASA install running PIX IOS 7.2.3. We were moving the client from flat ACLs to Object Group based ACLs, Object groups and named hosts. But for whatever reason we were having problems with the ACL. So from the command line I planned on using the tried and true no access-list “ACL NAME” to get rid of the offending ACL and start over. I was confused when the ACL did not go away. Well in reading 6200networks yesterday I came accross the the answer. From global config mode use clear configure access-list “id” and is should take care of that troublesome ACL. Thanks to Joe at 6200networks for the info.

One of my clients has had their web server exposed to the wild world of the internet now for several years. Up till about a year and a half ago many systems on their network actually had IP ANY ANY statements cut through from the Outside of their Firewall to the Inside. However it has been one of my many jobs since I started with them to eradicate these problems and start securing their infrastructure. The firewall changes have been easy for the most part and any problems that remain are policy issues that we are working to eliminate. However their web server sitting outside of the firewall has been an ongoing issue and due to some anomaly’s on the server they are deploying the recommended DMZ and migrating their web server there.
Continue Reading »

Led Zeppelin said it best I guess.  This past week Ohio along with lots of other states got hit with the remains of hurricane Dean.  So far it has been the most damaging storm for my clients in my short consulting career.  The first call came on Tuesday morning August 21st.  That call was from one of our account managers who indicated a client had sustained catastrophic damage to their 6509 when water rushed into their core network closet.  My first two thoughts were how quickly can we get replacement hardware and how long should it take for me to get them back up and going?
Continue Reading »

Ok so I have been beating my head on ASA to LDAP auth (temporary fix till my client spins up RADIUS) but thanks to the great LDAP group at Cisco TAC I”m up and working. The piont of this post is to take what we tend to know about LDAP client configs and adjust it for what Cisco has setup in PIX IOS 8.
Continue Reading »

Thats right kiddies. Cisco.com is off line. I have a pending case with TAC in which I was supposed to download files with special access. Stay tuned for that story later. However as I tried to get the files all my attempts to contact anything off of the Cisco main page game up dead. I confirmed this from an iPhone on AT&T m XV6700 on Verizon as well as a network off of the State of Ohio Backbone. With my homework done I contacted an engineer at Cisco who confirmed…” Yep we are down…not one of our best days. We should be back online sometime later tonight. My engineer is in the eastern time zone with me and it was 3pm when he told me this so sounds like the are on the mat for a few more hours. Not sure what the problem is or how wide spread, but I’ll wager that this costs someone their job and Cisco allot of money.
Continue Reading »

One of the Cisco Sales reps I work for called me a few months back and said hey why don’t we use a Cisco Wireless setup and client X to save them a bunch of money? My reply was…crap why didn’t I think of that followed by sure let me get to working on it. In the end we provided a solution that used Cisco 1240 A/G radios, two 5Ghz Point to Point panel antennas. We also got to use the 2.4 Radios for WiFi access on the insides of the buildings that the 5Ghz bridge was serving. Currently I am completing the config but once I have it all done I am going to post the juicy bits (sanitized to protect the client of course) as well as a few pics if the client will permit me to do so.

My company has done quite a few of these in the past. However this was my first go at a Wireless bridge setup. As usual with new projects I was a bit nervous but in the end I have been amazed at how smooth the whole thing went. Wireless connectivity has really jumped a level in my mind now. It was interesting though when I called one of our designers and then one of our engineers and asked “so now that my link is up how do I test the link quality and speed?” The answer was I’m really not sure they just work. For the moment I accepted the answer but in the end I have been troubleshooting a few things and I added my question to the list of things I wanted to solve by the time I handed it off to the client.
Continue Reading »

Any one who has tried to run Cisco’s ASDM (ASA Security Device Manager) with an IPS unit installed and running probably already know where this is going. Under Configuration and IPS your a provided a link that connects the broswer windows (ASDM) to the management interface of the IPS SSM module for the ASA. From there you are presented with ASA like login which is where the problems begin. If your are running the default java config the IPS screen will crash stating that you do not have enough memory allocated for java. In both Windows and Linux the solutions for this are pretty straight forward. In OS X however much searching and digging did not reveal the magic spot to change the memory settings. Thats where I come in.
Continue Reading »

Back on March 19th of this year I posted, “Three weeks in two, bah who needs sleep.”, I must have lied because between those two weeks and the subsequent crazy weeks following I pretty much fell off the map. During the aforementioned two weeks though I visited Ottawa, Canada for Sales and Engineering training for CryptoCard. For me trips like this are exciting not for the trip but for the time I get to spend with other professionals learning, hanging out and passing on our tricks to each other. During a break on the training routine our instructor Patrick posed a question something to the affect of; if we don’t like spam and attacks and we know that 20 to 30% of all spam and attacks come from North Korea and China then why don’t we block them at the edge?
Continue Reading »