export http_proxy=http://:port
3750-X route-map for wireless access
29/12/2012!
interface Vlan100
ip address 172.16.255.254 255.255.0.0
ip helper-address 172.16.255.250
ip pim sparse-mode
ip policy route-map ROUTE-PROXY-TRAFFIC-POLICY
!
!
access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq 443
!
!
access-list 102 permit ip 172.16.1.0 0.0.0.255 any eq 50
access-list 102 permit ip 172.16.1.0 0.0.0.255 any eq 51
access-list 102 permit udp 172.16.1.0 0.0.0.255 any eq 500
access-list 102 permit udp 172.16.1.0 0.0.0.255 any eq 4500
!
!
!
route-map ROUTE-PROXY-TRAFFIC-POLICY permit 10
match ip address 102
set ip next-hop 172.16.255.253
!
route-map ROUTE-PROXY-TRAFFIC-POLICY permit 50
match ip address 101
set ip next-hop 172.16.255.252
Visio Auto-Connect
29/12/2012If you actively use visio and are fed-up of the auto-connect as much as I was.. this is for you!
Enable or disable AutoConnect in all drawings
- On the Tools menu, click Options.
- Click the General tab.
- Under Drawing window options, select the Enable AutoConnect check box.
Banner MOTD #
29/12/2012A banner should be an informational warning/notification and not be a welcome to my device. I love a good banner and ascii, makes it all the more fun.
banner motd #
_~_
. / ^ -\ .
|\| (o) (o) |/|
|—–.OOOo–U–oOOO.——————|
| |
| * Authorised Access Only * |
| |
|_______________Oooo.__________________|
.oooO ( )
( ) ) /
\ ( (_/
\_)
This host is: $(hostname)
#
!
Cisco WLC 7.x future Wireless QOS capabilities
11/12/2012Having the need to look at a converged network/telephony strategy with Microsoft LYNC and a request (not requirement) for users to be able to access the LYNC telephony over a Cisco wireless solution. Thinking a little out of the box I had got to the point of considering how to run ATM over a lightweight solution.
Along came AVC.. it certainly looks like a great step forward and I cant wait to have an opportunity to plau.
http://www.youtube.com/watch?feature=player_detailpage&v=h6ZLSc_lYEg
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf
Cisco ASA ASDM logging filters
09/12/2012I was looking at applying some filters to the ASDM logging viewer the other day and spent 5 minutes adding one of each type just to see what would be seen within the configuration. Its pretty straight forward and very similar to Wireshark filters. Nb. the use of a “;” where multiple filters are applied.
ASA Firewall Filters:
# Only source IP: FILTER:srcIP=172.16.0.50
# Only port 21: FILTER:srcPort=21;
# Source IP and port 21: FILTER:srcIP=172.16.0.50;FILTER:srcPort=21;
# Destination IP: FILTER:dstIP=10.206.164.41;
# Severity Level (4=WARNINGS): FILTER:sev=4;
DMVPN with EIGRP
05/12/2012hostname VPN-Router-1
!
!
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC-ONE
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco101
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC-TWO
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco202
!
!
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
!
!
!
crypto isakmp profile ISAKMP-INET-PUBLIC-PROF-1
keyring DMVPN-KEYRING-ONE
match identity address 0.0.0.0 INET-PUBLIC-ONE
!
crypto isakmp profile ISAKMP-INET-PUBLIC-PROF-2
keyring DMVPN-KEYRING-TWO
match identity address 0.0.0.0 INET-PUB-TWO
!
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256
esp-sha-hmac
mode transport (used for devices behind a NAT)
!
!
!
crypto ipsec profile DMVPN-PROFILE-ONE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
crypto ipsec profile DMVPN-PROFILE-TWO
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC-TWO
!
!
!
interface Tunnel11
bandwidth 10000 (available bandwidth)
ip address 10.11.11.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE-ONE
ip nhrp authentication cisco111
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
!
interface Tunnel12
bandwidth 10000 (available bandwidth)
ip address 10.12.12.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE-TWO
ip nhrp authentication cisco222
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip hello-interval eigrp 200 20
ip hold-time eigrp 200 60
no ip split-horizon eigrp 200
!
!
!
router eigrp 101
network 10.11.11.0 0.0.0.255
passive-interface default
no passive-interface Tunnel11
eigrp router-id 10.11.11.1
!
!
!
router eigrp 101
redistribute eigrp [EIGRP AS] route-map SET-ROUTE-TAG-DMVPN
!
!
!
router eigrp 100]
redistribute eigrp 100
!
!
!
route-map SET-ROUTE-TAG-DMVPN permit 10
match interface Tunnel10
set tag DMVPN-EXTERNAL
no auto-summary
!
!
!
Export Netflow over IPSEC
02/12/2012One of my earlier posts covered routing Netflow Exports to a server over IPSEC. The previous covered method relied on the use of GRE tunnels and loopback interfaces to forward the export to a central router which in-turn then forwarded them onto the collector.
The question of why bother and just not use a Cisco ASA to terminate the VPN could be raised and I guess the requirements and the methods of the outgoing connectivity will have input. However, the ASA will support the exporting of Netflow over and IPSEC tunnel and adding no funky workarounds. The two key things to remember are:
Add the collector to your INSIDE interface
Ensure the collector is covered by Interesting traff