Posts Tagged Cisco

Getting Windows 8 to work with Cisco VPN Client

I got stuck with Windows 8 pre-installed, lets just say I wont be buying from NewEgg anymore sadly.  Efforts to install Windows 7 even after negotiating UEFI failed, I believe that the BIOS has been specifically munged to thwart the 7 install. Asus simply says you cant go back.

So why I hate Windows 8 starts with the fact that I am a business/tech user, I don’t need to draw pictures for my mother or swipey swipey with my finger.  I need VPN’s to work and ASDM software to work.

Tip #1:  How to get Cisco VPN Client to work with Windows 8
Open Registry editor by typing regedit in CMD prompt
Browse to the Registry Key  HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA
Select the DisplayName to modify, and delete the leading characters in front of “Cisco”

For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”

Share

, , , , ,

7 Comments

Upgrading your Pix to an ASA

One of the things we do is specialize in upgrading Pix configurations to ASA implementations.  We don’t run the Cisco tool as we would rather work with the network administrator to understand their policies and make sure that not only was the intent met but not fill their brand new ASA with a lot of meta-lables.

One thing that recently slipped through was the “non-printable defaults” for Pix and ASA don’t show some of the intricacies of PAP vs MS-CHAP authentication.  Be prepared to regenerate the Authentication Group from scratch if using CHAP.

I get asked a lot how to view the tunnel keys or tunnel group passwords.  To view them you can do one fo two things:

1) TFTP the config file to a server and look at it there

or

2) On ASA’s issue the command (without the quote’s y’all)
“more system:running-config”

Share

, , , , ,

No Comments

Cisco VPN X64 support…. or not.

Okay, if you read this http://www.cisco.com/web/software/282364316/31835/5.0.07.0240-beta-rel-notes.txt it says that x64 support for Windows 7 and Vista is finally here.  It’s just that it also says that 64 bit isn’t supported.

Share

, , ,

No Comments

Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has 98.109.50.34 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 98.109.50.35 (00:1d:70:26:3c:53) tell 0.0.0.0

The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply 98.109.50.36 is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

#!/usr/bin/perl
use Net::ARP;
use strict;
use warnings;
for (;;){
Net::ARP::send_packet(

‘eth0’, # Device
‘98.109.50.1’, # Verizon gateway, not really 0.0.0.0 of course

‘98.109.50.36’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
)
;
print “packet sent\n”;
sleep(30);
}

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’

Share

, , , , , , , , , ,

10 Comments

How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

Share

, , , ,

No Comments

QM FSM error

Getting “QM FSM error” while establishing a Cisco VPN?  Particularly site-to-site and even more particularly with IOS on one end and a Pix/ASA on the other?

Go to the Pix/ASA side and remove Perfect Forward Secrecy (PFS).  Rather than tell you it’s incompatible, it just barfs because it can’t read it (because it’s you know… encrypted).

Example:
no cryptomap outside 1 set pfs group2

If anyone finds a better error message than the ubiquitous “QM FSM error” let me know and I will post it.

Share

, , , , , , , ,

2 Comments

Trunking on Home and Small Office Switches

I bought a couple of the Cisco/Linksys  SLM200x series switches (SLM2005 ,SLM2008) gig switches, for under $100 each.  I wasn’t going to go for hundreds of dollars to get an IOS switch like I am used to plus the IOS stuff is still 10/100 for the bulk of the ports.

I was real happy to see the “Enable Jumbo Frames” check-box, I started to suspect that I could use one wire to connect two networks while keeping them separate.  Jumbo frames means a packet that is 4 bytes bigger than a standard Ethernet packet can still get through.

Whats 4 bytes bigger?  A packet that has been tagged with 802.1q trunking protocol headers. Whats interesting about 802.1q is that the native VLAN is still the normal size, I suspect there is a lot of equipment out there that works because the native packet makes it through and the trunked packets appear to alien too get any further.  Cisco’s trunking protocol InterSwitch Linking(ISL) encapsulates every VLAN and means that you cant be flipping and trunking the interconnects between two switches without running to each side of the connection or being very careful in the order you do things.

In my case I have a business vlan I wanted separate from a test vlan and then on top of that I had VOIP. To do trunking I made sure the native vlans lined up on both ends and then selected a 2nd vlan on both sides of the link between the two switches using the vlan selector in the web based configuration.  I checked “allow jumbo frames” and for good measure I disabled the egress filters that select tagged packets, even though there was a setting for “all” packets.

Now you can break out a single port by making it be just a member of the 2nd VLAN.  In my case I spent $20 for a new gig Intel Ethernet card for the desktop and brought the trunk right into the desktop.  Again made the native line up and selected the next vlan.  My system now shows a total of three connectoids in Windows, one for natural interface and one each for each VLAN. I get IP addresses and DNS from 2 DHCP servers on two separate networks.

Oh yeah, you have to boot the switches after doing this much to them , I suspect that they need to build some forwarding tables from scratch.

Other nice things about the SLM series other than they are manageable in general: There are several ways to set up for QOS, port based or traffic type, and you can modify the priority mechanism a little or go to strict priority.  Just setting the port my phone was plugged into to be a hi priority port yielded the first 98% of the results I was looking for using strict priority.

They also do port monitoring for sniffiing and have a full multi-VLAN Spanning Tree implementation including portfast.  The device is sold as a Light Managed switch but for SoHo it’s as managed as I needed, especially VLANs at gig speeds I am cutting down on a few cables by sharing.

Share

, , , , , , , , ,

No Comments

PDM to Cisco Pix not working

First pointed out to me by my tech Rob, some of the Cisco PIX/PDM combinations won’t make a connection on the outside interface in spite of being properly configured.  Try SSH ing to the external interface anc check the PDM again.  I have seen this almost half a dozen times in the last couple of years, the last was PIX software version 6.3(5) running PDM 3.0(1).

Share

, , , ,

No Comments