StaticNAT

Over the last two years I have become quite the Mac/OSX fan.  For years I was down on apple and to this day think I had every right to be.  But with OS 10.4 and now 10.5 they have created a powerful and flexible unix distribution for the general user and the power users.  However I have from time to time notices funky issues with software such as the Cisco IpSec VPN client.

Most recently in 10.5.1 I kept getting the VPN subsystem could not be contacted.  Well here is the fix from nate,

“If you are running Cisco’s VPNClient on Mac OSX, you might be familiar with (or tormented by) “Error 51: Unable to communicate with the VPN subsystem”. The simple fix is to quit VPNClient, open a Terminal window, (Applications -> Utilities -> Terminal) and type the following:

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

and give your password when it asks. This will stop and start the “VPN Subsystem”, or in other words restart the CiscoVPN.kext extension.”

Thanks Nate and I hope this help everyone else out there keep their WARP core under control….later!

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

I was on a client site about a month ago finishing an ASA install running PIX IOS 7.2.3. We were moving the client from flat ACLs to Object Group based ACLs, Object groups and named hosts. But for whatever reason we were having problems with the ACL. So from the command line I planned on using the tried and true no access-list “ACL NAME” to get rid of the offending ACL and start over. I was confused when the ACL did not go away. Well in reading 6200networks yesterday I came accross the the answer. From global config mode use clear configure access-list “id” and is should take care of that troublesome ACL. Thanks to Joe at 6200networks for the info.

One of my clients has had their web server exposed to the wild world of the internet now for several years. Up till about a year and a half ago many systems on their network actually had IP ANY ANY statements cut through from the Outside of their Firewall to the Inside. However it has been one of my many jobs since I started with them to eradicate these problems and start securing their infrastructure. The firewall changes have been easy for the most part and any problems that remain are policy issues that we are working to eliminate. However their web server sitting outside of the firewall has been an ongoing issue and due to some anomaly’s on the server they are deploying the recommended DMZ and migrating their web server there.
Continue Reading »

Ok so I have been beating my head on ASA to LDAP auth (temporary fix till my client spins up RADIUS) but thanks to the great LDAP group at Cisco TAC I”m up and working. The piont of this post is to take what we tend to know about LDAP client configs and adjust it for what Cisco has setup in PIX IOS 8.
Continue Reading »

Any one who has tried to run Cisco’s ASDM (ASA Security Device Manager) with an IPS unit installed and running probably already know where this is going. Under Configuration and IPS your a provided a link that connects the broswer windows (ASDM) to the management interface of the IPS SSM module for the ASA. From there you are presented with ASA like login which is where the problems begin. If your are running the default java config the IPS screen will crash stating that you do not have enough memory allocated for java. In both Windows and Linux the solutions for this are pretty straight forward. In OS X however much searching and digging did not reveal the magic spot to change the memory settings. Thats where I come in.
Continue Reading »

Back on March 19th of this year I posted, “Three weeks in two, bah who needs sleep.”, I must have lied because between those two weeks and the subsequent crazy weeks following I pretty much fell off the map. During the aforementioned two weeks though I visited Ottawa, Canada for Sales and Engineering training for CryptoCard. For me trips like this are exciting not for the trip but for the time I get to spend with other professionals learning, hanging out and passing on our tricks to each other. During a break on the training routine our instructor Patrick posed a question something to the affect of; if we don’t like spam and attacks and we know that 20 to 30% of all spam and attacks come from North Korea and China then why don’t we block them at the edge?
Continue Reading »

From time to time I’ll just post these quick little snippets of code. Honestly, this is so I have a reference for them in the future. This set comes from troubleshooting why my VPN would connect but not allow me to see the networks I had allowed in my VPN GROUP ACE.

This command allows the ASA to detect VPN clients behind NAT device’s and encapsulates the traffic into UDP on port 4500. Click on the command to see the detailed description and usage of this command.

crypto isakmp nat-traversal 20

sysopt connection permit-vpn

We I am still behind in getting configs published. But please know that they are coming. This is a hobby for me and like most hobbies it is lower in my priority queue than work and family. One of the items that took priority this week was a conversion from a pair of PIX 515sto ASA-5540s with AIP-20s.

I learned a lot about traffic, hardware limitations and marketing with this project. This whole project started shortly after an upgrade from a DSL to their upstream provider to a 100 Mbit Circuit. Along with the circuit upgrade they customer also started using a WebApp provided by their upstream provider that generated alot of connections but not allot of bandwidth. To make a long story short we ended up having sudden outages that would come and go with no explanation…that is until I checked the connections on thier PIX 515. During outages they were running between 148,000 to 160,000 connections and their pic was designed to handle 120,000. We could have performed connection tuning on the PIX but the client was ready to move on to an ASA.
Continue Reading »