Tuesday, 12 November 2019

Firepower VPN Filter via Flexconfig


The following information provided as is with not guaranties  that it works and support will not be provided! Test in a lab before deploying in production.

If you don't know what you're doing hire a trained engineer!



VPN filter for Site to site VPN is not supported from GUI in Firepower. see CSCvj86972


You have to create a new policy and attach it to tunnel-group.
Create your VPN configuration and save it.

Assuming that Remote VPN peer IP = 10.10.10.10

Do the following:


1) Under objects create an extended access list to be used as VPN Filter with the name VPN_FILTER, this ACL is your actual VPN filter and will be attached to your VPN tunnel.



2) On the same page under Flexconfig-> Text Object Create a new text object for your tunnel group IP as Single and assign a value of 10.10.10.10 (replace with your peer IP)


3) Under Flexconfig Object create a new object with Deployment: "Everytime" and Type: "Append"


4) Insert a new policy object -> Extended ACL object and choose your created ACL



5) Insert a new policy object -> Text Object and choose your previously created "TUNNEL_GROUP"


6) Copy and paste the following to flex config window
    Note: adjust any vpn attributes here except the vpn-filter value

group-policy VPN_FILTER_POL internal
group-policy VPN_FILTER_POL attributes
 vpn-idle-timeout 30
 vpn-idle-timeout alert-interval 1
 vpn-session-timeout none
 vpn-session-timeout alert-interval 1
 vpn-filter value $VPN_ACL
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group $VPN_TUNNEL general-attributes
 default-group-policy VPN_FILTER_POL

Your config should look like this






7) Now attached the configured policy to you flex config for the specific device under Devices -> FlexConfig (If you dont have a policy create a new one, assign it to the proper device and insert the FLEX_VPN_FILTER found in user defined policies).


8) Save and deploy!


-
Labels: , , ,

Thursday, 7 November 2019

Change FTD management default gateway

Use the following in expert mode to disable gateway via data interfaces:
vi /etc/sysconfig/network-scripts/ifcfg-internal-route and changed the INTERNAL_ROUTE_ENABLED=1 to INTERNAL_ROUTE_ENABLED=0

Exit Expert mode.  Then issue a configure network ipv4 manual 1.1.1.2 255.255.255.0 1.1.1.1 to reconfigure the management IP.

The show network command now shows the gateway.
-
Labels: , , ,

Wednesday, 6 November 2019

Catalyst 9300 iPerf Docker app

Follow this guide for iPerf docker install on Catalyst 9300

https://community.cisco.com/t5/networking-blogs/network-performance-monitoring-with-catalyst-9300-application/ba-p/3868481

Note:
Execute the command " iperf.exe – c  <IP address of the server>   -P 10  -w 1000k "
  (  -P refers to the number of parallel TCP streams and –w referes to the TCP window size  )
-
Labels: , ,

Thursday, 20 June 2019

FTD RA VPN with Microsoft NPS server



 ORIGINAL POST FROM Jatin Katyal  (Thanks)

Introduction
Steps needs to be followed on the Microsoft Radius server to configure group-lock and tunnel-group-lock
Configuration Steps

    Go to Remote Access Policies.
    Go to the remote access policy/network policy, make a right click on the policy and click on the "Properties"
    Click on Edit Profile.
    Click on Advanced Tab settings and add ( For IAS)
    Click on settings (For NPS)
    Scroll down to "Vendor-Specific" Radius attribute.
    Select it, from scroll down use custom and click on Add.
    Make sure Attribute Number is set to 26.
    Click on Add.
    Enter Vendor Code: 3076.
    Select radio button : Yes. It confirms.
    Click on Configure Attributes.
    Vendor-Assigned attribute number: 25 (group-lock) and 085 (tunnel-group-lock)
    Attribute format: String.
    Attribute Value: <group-policy-name> or <tunnel-group name>
    Apply.

In order to troubleshoot any issues look at event-viewer logs on Radius server.
Configure NPS Event Logging
NPS Events and Event Viewer

Finally, this document with ASA AAA configuration documentation could be useful too:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.pdf

-
Labels: , , ,

Wednesday, 10 April 2019

CUCM diagnose test

A quick and easy CUCM diagnostic test run via CLI.

utils diagnose test
-
Labels: ,

Wednesday, 13 March 2019

Cisco VM ESXi wont boot (After restart)

Well, another day another bug!

Cisco bug CSCvh55176 for the official page.


I setup Unity connection fresh install on BE6K with ESXi 6.5. VM booted and worked properly, but after restart the VM didn't boot again and had only a black screen with a cursor, no messages, nothing..

A colleague run into this bug before me so I was provided with the resolution below:

You will need to:

-        boot VM with recovery ISO
-        Once the options appear, press ALT+F2. This will take you to bash prompt.
-        chroot /mnt/part1
-        /usr/bin/vmware-config-tools.pl -d
-        You may ignore the errors at the end
-        Exit and disconnect the ISO and make sure you will change the boot order again in BIOS

After above other VMs should be boot as well.
-
Labels: , , , , ,

Friday, 4 January 2019

Unable to update phone setting after CUCM 12

When you try to edit a phone after you upgrade to CUCM 12 you get an error of 
"Update failed. SSH Password is not valid. SSH Password is an encrypted value containing up to 288 hexadecimal characters (0-9 and A-F)"

You have to run the following command on CLI in irder to clear any password set
run sql update device set sshpassword = '' where name = "SEP1234AAAABBBB"

 
-
Labels:
Subscribe to: Posts (Atom)