Cisco Router – CBAC and Zone Based Firewall Setup
KB ID 0000937 Problem IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS). Solution Run the following command to see if you have the correct license installed....
Cisco Simple GRE Tunnels (With IPSEC)
KB ID 0000951 Problem I’ve spent years setting up VPN tunnels between firewalls. The only time I’ve ever dealt with GRE is for letting VPN client software though firewalls. GRE’s job is to ‘encapsulate’ other protocols and transport those protocols inside a virtual point to point link. Below is the topology, I’m going to use. The tunnel will run form Router R1 to Router R3, once complete I should be...
Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN
KB ID 0000954 Problem A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each other...
Implementing GDOI into DMVPN
KB ID 0000956 Problem Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site. One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak to another spoke...
Cisco PRSM – Replace the Certificate Using Microsoft Certificate Services
KB ID 0001023 Problem Cisco PRSM gives you the ability to import certificates into it, but like other Linux distros does not give you the tools to generate the actual certificate request. The documentation tells you to use OpenSSL to this. I was just about to fire up a CentOS box when I remembered I did something similar for VMware 5.5 not so long ago, would the same procedure work here? Yes it did, and it’s a lot easier than...
PIX 506E and 501 Firewall Image and PDM Upgrade
KB ID 0000065 Problem Note: PIX 515E and above, can still be upgraded to version 8.0(4) click here for details Some people will wonder why I’m bothering to write this up, but the truth is, there are LOADS of older PIX firewalls out there in the wild, and all the PIX 501’s and 506E’s that are being retired from corporate use are being bought on ebay, or being put on IT departments test benches. This page deals with...