Redistribute EIGRP and OSPF / Route Tagging

In route redistribution, the router process asks this question first:

Ask this question:

1. Does the route exist in my router process that it will redistribute into?
    No, then Redistribute the route.
    Yes, then Go TO 2.

2. If so, Does the route have a better AD?
    NO, then Don't redistribute the route.
    YES, then Redistribute the route.

Example:
    So, change the external EIGRP route from default 170 to 171 when redistribute into OSPF.

170 = is AD for External EIGRP routes.
171 = in this example, we use 171 for external OSPF route to stop the routing loops, but when you shutdown the interface with the injected route, the route updated LSAs still goes in circle.

R2(config)#

router eigrp 10
    redistribute ospf 1
    network x.x.x.x 0.0.0.255
    default-metric 100000 0 255 1 1500
    no-auto

router ospf 1
redistribute eigrp 10 subnets
distance ospf external 171   ==== only locally significant.

Use route tagging is better.

Route Tagging:

Most situation, you don't need route tags, since the above 2 questions hold.  But in situations where you have external routes coming into your domain, then you'll need route tagging.

STEPS:


route-map OSPF-TO-EIGRP deny 10
    match tag 170

route-map OSPF-TO-EIGRP PERMIT 20
    SET tag 110

route-map EIGRP-TO-OSPF DENY 10
    match tag 110

route-map EIGRP-TO-OSPF permit 20
    set tag 170

R2:
conf t

router eigrp 10
 network 10.1.12.0 0.0.0.3
 network 10.1.15.0 0.0.0.3
 redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP ===
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 10 subnets route-map EIGRP-TO-OSPF  ======
 network 10.1.22.0 0.0.0.3 area 0.0.0.0


R3:
conf t

router eigrp 10
 network 10.1.13.0 0.0.0.3
 network 10.1.15.0 0.0.0.3
 redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP  ====
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 100 subnets route-map EIGRP-TO-OSPF  ==========
 network 10.1.23.0 0.0.0.3 area 0.0.0.0

DONE.

TEST:
R4-EIGRP-ROUTER# sh ip ro 192.168.1.1
Routing entry for 192.168.1.1/32
  Known via "eigrp 100", distance 170, metric 28416
  Tag 110, type external
  Redistributing via eigrp 100
  Last update from 10.1.12.2 on FastEthernet1/0, 00:38:36 ago
  Routing Descriptor Blocks:
  * 10.1.13.2, from 10.1.13.2, 00:38:36 ago, via FastEthernet1/1
      Route metric is 28416, traffic share count is 1
      Total delay is 110 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 110
    10.1.12.2, from 10.1.12.2, 00:38:36 ago, via FastEthernet1/0
      Route metric is 28416, traffic share count is 1
      Total delay is 110 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 110

R1-OSPF-ROUTER# sh ip ro 172.16.1.1
Routing entry for 172.16.1.0/24
  Known via "ospf 1", distance 110, metric 20
  Tag 170, type extern 2, forward metric 1
  Last update from 10.1.22.2 on FastEthernet1/0, 00:40:31 ago
  Routing Descriptor Blocks:
  * 10.1.23.2, from 10.1.23.2, 00:48:47 ago, via FastEthernet1/1
      Route metric is 20, traffic share count is 1
      Route tag 170
    10.1.22.2, from 10.1.22.2, 00:40:31 ago, via FastEthernet1/0
      Route metric is 20, traffic share count is 1
      Route tag 170

Block RFC 1918 and Others Coming In Your Network

If you're an enterprise, chances are your ISP may have already blocked some or all private addresses from the internet.
But you should also block the IP subnets assigned to you by your ISP, if you see that IP coming in, then somone is spoofing your IP.
For security, it's best to block all RFC 1918 and you many want to block others as well.

Below is what I use:

access-list 199 deny   ip 10.0.0.0 0.255.255.255 any
access-list 199 deny   ip 127.0.0.0 0.255.255.255 any
access-list 199 deny   ip 172.16.0.0 0.15.255.255 any
access-list 199 deny   ip 169.254.0.0 0.0.255.255 any
access-list 199 deny   ip 192.0.2.0 0.0.0.255 any
access-list 199 deny   ip 192.168.0.0 0.0.255.255 any
access-list 199 deny   ip 224.0.0.0 0.0.0.255 any
access-list 199 deny   ip 239.0.0.0 0.255.255.255 any
access-list 199 deny   ip host 255.255.255.255 any
access-list 199 deny   ip YOUR-SUBNET-HERE 0.0.0.31 any --- This should be the IP Subnet assigned to you by your ISP.  You don't want to see the originator's IP is your own IP.

access-list 199 permit ip any any  --- This permits everything else.

Now apply this access list to the interface facing or connecting to your ISP.

interface Serial0/1/0
 ip address 29.6.11.261 255.255.255.252
 ip access-group 199 in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 no cdp enable

You want to apply the access-list 199 to inbound traffic.

Done.

EXPECT: Can not telnet/ssh to switches directly - Only one switch to others

Can not telnet/ssh to switches directly. Can only ssh into a ASR/switch then from the switch ssh to each switch.

ACL only allows ASR device to SSH to each switch.

This can be done with a for loop within the "expectscript.exp" script.

Create a file with the names/IP’s of the devcies you want to connect to from the ASR:

STEPS:

1. [root@localhost script]# vi device-list
    10.x.x.1
    10.x.x.2
    10.x.x.3
    10.x.x.4

2. [root@localhost script]# vi from-one-device-TO-ALL-others.exp

#!/usr/bin/expect -f

# Set variables - some of which were sent from the calling bash script

    set hostname [lindex $argv 0]
    set username "YOURUSERNAME"
    set password [lindex $argv 1]
    set enablepassword [lindex $argv 2]
    set timeout 5

# Where to put the Log file results
 log_file -a /root/script/results.log

    spawn ssh -o StrictHostKeyChecking=no $username\@$hostname
    expect "*assword: "
    send "$password\r"

# SSH to each IP/Hostname in local file named "device-list", do a "show clock", then exit

    set devicelist [open device-list]
    while {[gets $devicelist line] != -1} {
    expect "*>"
    send "ssh $line \n"
    expect "Password:"
    send "$password\r"
    expect "*>"
    send "show clock\n"
    expect "*>"
    send "exit\n"
    expect "*>"
    }
    close $devicelist

    send "exit\n"
    expect ":~\$"
    exit

3. Now RUN it:

[root@localhost script]# ./from-one-device-TO-ALL-others.exp

Block Windows AD/DHCP/NetBios from Crossing One Network to Another

Create an access-list to block all these Microsoft Windows services ports:

Here's my list that blocks Windows TEST LAB network from messing up the production environment.

access-list 199 deny   tcp any any eq 389
access-list 199 deny   udp any any eq 389
access-list 199 deny   tcp any any eq 636
access-list 199 deny   tcp any any eq 3268
access-list 199 deny   tcp any any eq 3269
access-list 199 deny   tcp any any eq 88
access-list 199 deny   udp any any eq 88
access-list 199 deny   tcp any any eq 445
access-list 199 deny   udp any any eq 445
access-list 199 deny   tcp any any eq 135
access-list 199 deny   udp any any eq 135
access-list 199 deny   tcp any any eq 5722
access-list 199 deny   tcp any any eq 646
access-list 199 deny   udp any any eq 646
access-list 199 deny   udp any any eq netbios-dgm
access-list 199 deny   tcp any any eq 9389
access-list 199 deny   udp any any eq bootps
access-list 199 deny   udp any any eq 2535
access-list 199 deny   udp any any eq netbios-ns
access-list 199 deny   tcp any any eq 139
access-list 199 permit ip any any

Here's the complete lists of ports used by Windows. 
http://technet.microsoft.com/en-us/library/cc875824.aspx
But I only used the above to block my TEST LAB windows environment from crossing over the production network.

Get into interface mode and apply the access list from entering.

interface GigabitEthernet0/2
 no switchport
 ip address 172.16.0.1 255.255.255.252
 ip access-group 199 in
end

done.

Good EXPECT script to use on Cisco / Other Network Devices

Expect script is a great way to make config changes across 40 or more switches/routers in your company without telnet or ssh into each device.

The script can be modified to suit your needs.  I modified Paul's http://paulgporter.net/2012/12/08/30/comment-page-1/#comment-1703 script to meet my needs.

SSH for EXPECT is at the end. Below is for TELNET EXPECT:

STEPS:

1. Install EXPECT on your CENTOS or linux box
    yum install expect
        - The expect command should be installed in /usr/bin/expect. 

Create your expect script:

2.  Make a text file and put all IP Addresses of your devices:
    [root@localhost script]# vi device-list

172.x.x.1
172.x.x.2
172.x.x.3
etc.

3. Create expectrun.sh file and put the following in it:

[root@localhost script]# vi expectrun.sh

#!/bin/bash

# Collect the current user's ssh and enable passwords
echo -n "Enter the SSH password for YOURUSERNAME"
read -s -e password
echo -ne '\n'
echo -n "Enter the Enable password for YOURUSERNAME"
read -s -e enable
echo -ne '\n'

# Set terminal to vt100 so Nexus devices don't complain
export TERM=vt100

# Feed the expect script a device list & the collected passwords
for device in `cat device-list`; do
./expectscript.exp $device $password $enable ;
done


4. Create the "EXPECT" script called, expectscript.exp and put the following:

[root@localhost script]# vi expectscript.exp

#!/usr/bin/expect

# Set variables
 set hostname [lindex $argv 0]
 set username "YOURUSERNAME"
 set password [lindex $argv 1]
 set enablepassword [lindex $argv 2]

# Path to Where to put the Log file results
 log_file -a /root/script/results.log

# Display the device we are working on and the time
 send_user "\n"
 send_user ">>>>>  Working on $hostname @ [exec date] <<<<<\n"
 send_user "\n"

# Telnet
#spawn telnet $hostname
#expect "Username: " sleep .1;
#send "$username\r";
#sleep .1;
#expect "Password:"
#send "$password\r";

# Telnet
spawn telnet $hostname
expect "Username: "
send "$username\r"
expect "*assword: "
send "$password\r"

# Check to see if we're already in enable mode, if not get us there
 expect {
 default { send_user "\nEnable Mode Failed - Check Password\n"; exit 1 }
 "*#" {}
 "*>" {
 send "enable\n"
 expect "*assword"
 send "$enablepassword\n"
 expect "*#"
 }
 }

# Let's GET into configure mode
 send "conf t\n"
 expect "(config)#"

# Enter your commands here. Examples listed below
 send "aaa authorization commands 1 default  group tacacs+ local \n"
 expect "(config)#"
 send "aaa authorization commands 15 default group tacacs+ local \n"
 expect "(config)#"
 send "aaa authorization config-commands \n"
 expect "(config)#"
 #send "service timestamps log datetime msec localtime\n"
 #expect "(config)#"
 #send "clock timezone PST -8\n"
 #expect "(config)#"
 #send "clock summer-time PDT recurring\n"
 #expect "(config)#"
 #send "service timestamps debug datetime msec localtime\n"
 #expect "(config)#"

 send "end\n"
 expect "#"
 send "write mem\n"
 expect "#"
 send "exit\n"
 expect ":~\$"
 exit

5. Now RUN the expectrun.sh script:
    [root@localhost script]# ./expectrun.sh

========================

NOTE:  FOR SSH to devices instead of using telnet:
The Cisco IOS image used must be a k9(crypto) image in order to support SSH. For example c3750e-universalk9-mz.150-1.SE2.bin is a k9 (crypto) image.

[root@localhost script]# vi expectscript.exp

DELETE THE TELNET REFERENCE:

# Telnet
spawn telnet $hostname
expect "Username: "
send "$username\r"
expect "*assword: "
send "$password\r"

ADD the following for SSH to WORK:

# For SSH to devices and don't check keys
 spawn ssh -o StrictHostKeyChecking=no $username\@$hostname

# Need to SSH to Work. Allow script to handle ssh connection issues
 expect {
 timeout { send_user "\nTimeout Exceeded - Check Host\n"; exit 1 }
 eof { send_user "\nSSH Connection To $hostname Failed\n"; exit 1 }
 "*#" {}
 "*assword:" {
 send "$password\n"
 }
 }

THAT'S IT.

IPSEC: Failed Anti-Replay Checking FIXED

Sep 12 08:19:22|402119: IPSEC: Received an ESP packet from  (user= sKOPL) to  -- that failed anti-replay checking.

A failed anti-replay checking appears on the ASA is when the ASA stops an attacker from duplicating packets of the real data to its own.

IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet in an increasing order.
By default it's set to 64 packets. 

Increasing it to 512 or 1024 will fix it.

1. enable

2. configure terminal

3. crypto ipsec security-association replay window-size [N]
    Sets the size of the SA replay window globally.

Types of Access-list Made Easy

Below are the types of Access list that are easy to understand.

Access list rules:  These are the rules of Access-lists.

•     Access list is read from top to bottom.

•     Stops at the first match.

•     There's an Invisible implicit DENY at the bottom.

•     ACL is applied to an interface INBOUND OR OUTBOUND.

Types of access lists:

1. Standard Access list:  filtered by source ip address.

2. Extended Access List: filtered by source, dest, port, tos, etc.

3. Dynamic Access list: AKA: lock in key.  First need to authenticate, then the acl is allowed.  Ex. telnet in and login first.

4. Established or Reflexive Access-list:   example, router has access to internet. 

• permit ip tcp any any ESTABLISHED.  Allow only the established session to return from the internet.  Is replaced by Context-based access control (CBAC) AND THEN BY Zoned Based Access list / firewall.  Define inspect rules.  or in ASA MFP.

5. Time-based Access-list:  normal extended access list that has a time based on it. 
Example, from 8-5pm all this access-list applies.

•     Example, to throttle only web traffic to 5 mbps:  create an extended access list with time based range from 8-5 matching certain subnets to any destination, then apply to the QOS policy and policing on the interface to not go above that value.

How To Get Cisco ASA Up and Running in a Few simple STEPS:

It's quite simple to get the Cisco ASA up and running to protect and secure your inside network in a few simple steps.
You'll need to config the:

1.  inside/outside interface,
2.  nat, 
3. assign outside nat IP, 
4. default route, 
5. inside route, and you're done.

Here are the steps:

Step 1. 
ASA(config)#
interface Ethernet0/0
 description ***This is the interface going to your INTERNAL INSIDE NETWORK***
 nameif INSIDE
 security-level 100
 ip address 192.168.10.1 255.255.255.0 standby 192.168.100.2  --standby is OPTIONAL IF you have dual ASA, else NO need.


interface Ethernet0/1
 description ***This is the interface going to your ISP facing router***
 nameif OUTSIDE
 security-level 0
 ip address YOURPUBLIC-IP-FROM-ISP 255.255.255.224 standby PUBLIC-IP2-FROM-ISP  ---standby is OPTIONAL IF you have dual ASA, else NO need.

STEP 2:
ASA(config)#
nat (INSIDE) 1 0.0.0.0 0.0.0.0  -- This will NAT all SUBNETS in your internal network. to a public IP address, to you can access the internet.


STEP 3:
ASA(config)#
global (OUTSIDE) 1 8.4.4.9 netmask 255.255.255.0  --This will NAT id 1 in your internal network to a public IP address (in this case 8.4.4.9), so you can access the internet.

STEP 4:
Secure your network from Ping SCANS.
Create an access-list to ping out, but outside folks can not ping in.  This will put your network in "STEALTH MODE" basically.

ASA(config)#
access-list INBOUND_ACL extended permit icmp any any echo-reply
access-list INBOUND_ACL extended permit icmp any any source-quench
access-list INBOUND_ACL extended permit icmp any any unreachable
access-list INBOUND_ACL extended permit icmp any any time-exceeded



STEP 5:
Apply the access-list to the OUTSIDE interface:
ASA(config)#
access-group INBOUND_ACL in interface OUTSIDE

STEP 6:
Create a static default route for your ASA to reach to the Internet:
ASA(config)#
route OUTSIDE 0.0.0.0 0.0.0.0 8.4.4.254 1 -- enter your default route for your ASA to your ISP router for next hop.

STEP 7:

Create a static route for the ASA to reach internal network:
ASA(config)#
route INSIDE 192.168.10.0 255.255.255.0 192.168.10.1 1  -- Put a route in the routing table to tell the ASA how to get to the inside network. 

route INSIDE 192.168.11.0 255.255.255.0 192.168.10.1 1  -- You can add more subnets if you have more different INSIDE networks.

done.
Let me know if this helps.

Troubleshooting Cisco Router / Switch Interface utilization Overload:

Ethernet interface utilization overload affects performance.  Here are some ways to fix port utilization issues.

1. high cpu / memory utilization will affect the interfaces.
2. Packet drops... this can be normal. But high cpu / mem usage will drop more packets.

3. unreachable destinations will cause overload.

Things to check:

1. Verify router / switch switching mode: 

• Process switching:  This is the original.  
• Everything is process switch ..goes to data plane...then control plane..then passed back to the data plane.  This is very CPU intensive.

•  Fast switching:  Came out in late 80s - 90s.  1st packet goes in the switch and caches the packet information.  The next packet just stays at the data plane and just forwards through.  This is less CPU intensive as only the first packet in that flow punts to the CPU.

•  CEF:  This is on by default: router(config)# ip cef :  This eliminates the packet 1 issue.  When the router boots, it simulates as if every route in the ip table was accessed.  So, it pre-caches.  
• It never goes to the control plane only stays in the data plane.  But not compatible with access control or QOS implementation, it may not be effective with other features you use.

    TIPS: enable CEF will most likely fix high CPU overload,  if you have it disabled.
        router(config)# ip cef
        router(config)# int fa0/0
        router(config-if)# ip route-cache or ip route-cache cef (if supported)


2. verify by cef / arp cache. 
    router# SHOW ADJACENCY

3. verify routing table to the destination is correct.

Troubleshooting Cisco Router / Switch Memory Overload:

Troubleshooting Cisco Memory Overload:

If you see the following below, your Cisco Router / Switch memory is low or none existance.

1. syslog message:  SYS-2-MALLOCFAIL:  a process asks for memory, but none were available.

2. when show commands return blank outputs:  There's no memory.

3. On a Console port, you plug in a console port and see "UNABLE TO CREATE EXEC" : There's no memoory or too many processes.

Check the following:

1. Is it a wrong IOS image.?  Not enough memory to run the IOS.

2. Memory Leak due to bad IOS image (reload image every 1 month, etc.)

3. Worm or virus focused on the IOS.   Upgrade IOS to fix.

4. BGP eating too much memory (show process memory and check the BGP process to fix).

Troubleshooting Cisco CPU Processor Overload

Below are some troubleshooting tips on Cisco CPU Processor Overload issues:

router# show proc cpu

Below are the major cpu processes on Cisco Switches / Router.

1. ARP Input Process: 
    This is arp messages the router is originating. 
    If have to do a lot of arp messages.

2. Net Background process: 
    Creates packet buffers. 
    when packets come in and hardware buffer is full, need this software buffers.
    If interface is getting overloaded, this cpu utilization process can go up.

3. IP Background Process: 
    Geared around handling config changes to interfaces. 
    If you Have a flapping interface for example, like the need to shutdown / reenable interface and interface modification.

4. TCP Timer Process: 
    This is responsible for handling TCP process handled by the router itself, not packets through the router.    Ex., ssh, telnet session to the router itself.

If above is suspected can check by or Fix by:

1. Default route pointed to an interface: point to a Default IP Address instead.

2. Interface throttles, overuns, ingores:  memory may not be enough to handle the traffic.

3. show tcp statistics / brief: for TCP Timer process.

• Show active TCP session TO, NOT THROUGH the router.  If see too high, may have a DDOS to your router.  Resolve by having an access-list to filter on the vty port.

4. show process cpu | exclude 0.00% or | history

Let me know if this helps.

Ads Theme Blogger Template Comment Broken / Not Working [Fixed]

If you've installed the Ads Theme Blogger Template, chances are the comment section is NOT working.

I've tried a few things. 

An easy fix to it is look for the line:

<b:include data='post' name='comments'/>

and replace it with:

<b:include data='post' name='comment-form'/>

That's it.! The comment box section should work now.

Tell me if this works for you.

IPv6 Review: Simplified

In IPv6, the address size has moved from 32 bit IPv4 to 128 bit IPv6.

This provides huge amounts of addresses...trillions and trillions.

To make addresses more manageable, the IPv6 address is divided into 8 groups of 4 HEX characters each:
    2001:0050:0000:0000:0000:0AB4:1EA2:89AA

Each group is 16 bits.  Example, in 2001:..
                20 = 8 bits
                01 = 8 bits

Rules of IPv6:

RULE 1: Eliminate groups of consecutive zeros:
    Address above would be:
    2001:0050::0AB4:1EA2:89AA

RULE 2: Drop leading ZEROS:
    Address above would be:
    2001:50::AB4:1EA2:89AA

Types of Communication and Addresses in IPv6:

1. There is no broadcast in ipv6.
2. Unicast: one to one
3. Multicast: one to many
4. Anycast: one to closest

5. Link-local scope address:  layer 2 domain address.
6. Unique / Site-local scope address:  Organization address
7. Global scope address:  Internet / Public Address

Link-local scope address:

•  Assigned automatically as an ipv6 host comes online.    
•  Similar to the 169.254.x.x addresses of ipv4.  In ipv6 is a good thing. 
• Always begin with "FE80" (First 10 bits: 1111 1110 10...) followed by 54 bits of ZEROS.
• Last 64 bits is the 48 bit MAC ADDRESS with "FFFE" squeezed in the middle. 

            MAC ADDRESS:  0011.A123.DEF1
            fe80::0011:A1FF:FE23:DEF1  == notice FF.FE

Unique / Site-local scope address:

    - Was supposed to be similar to private addresses in ipv4.  The standard was later revised to be taken out of the RFC.

    - The ipv6 standard now don't use this scope.

Global scope address:

    - Have their high level 3 bits set to 001 (2000::/3)

    - N bits(global routing prefix 001..) - 64-BITS(SUBNET ID) -- 64 BITS HOST OR INTERFACE ID.
        The global routing prefix will be assigned to the ISPs.
            The ISPs will assign the subnets to its customers.
                The customers can further subnet it further and includes the hosts.

    - Global routing prefix is 48 bits or less.

    - Subnet ID is comprised of whatever bits are left over after the Global Routing Prefix.

    - The primary addresses expected to comprise the ipv6 internet are from the 2001::/16 subnet.

Google IPv6 BGP looking glass to see the available ipv6 out there that companies are using.

Configuring IPv6 OSPF example in Cisco:

router(config)# ipv6 unicast-routing
router(config)# ipv6 router ospf 1
router(config-router)# router-id 192.168.10.1
router(config)# interface f0/0 ==== ipv6 runs on the interface.
router(config-if)# ipv6 ospf 1 area 0

Leave a note if you like it.

FTP source-interface for FTP Cisco configs to FTP server

Transfering / Backup Cisco Configs from outside IP to internal FTP SERVER through Firewall.

First, you need to allow your Public IP network provided to you from your ISP through your firewall on port 21 (ftp port).

If you do not set the source interface for your FTP communication, the FTP transfer may fail.  By default Cisco Routers will use the uplink / outside interface, not the interface with IP addresses assigned to you by your ISP.

Router-INTERNET#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0         23.12.143.75     YES NVRAM  up                    up
GigabitEthernet0/1         132.95.160.113  YES NVRAM  up                    up
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down
Router-INTERNET#

ISP <---> g0/0---G0/1-->Inside

The command to set a source interface or IP on a cisco Router for backing up to ftp is:

router(config)#ip ftp source-interface GigabitEthernet0/1

router# copy running-config ftp

Now when you copy to your ftp server, it will use the source interface GigabitEthernet0/1 with ip 132.95.160.113, which is your company public IP.

tftp source-interface to backup Cisco configs to your tftp server

Transfering / Backup Cisco Configs from outside IP to internal TFTP SERVER through Firewall.

First, you need to allow your Public IP network provided to you from your ISP through your firewall on port 69 (tftp port).

If you do not set the source interface for your TFTP communication, the TFTP transfer may fail.  By default Cisco Routers will use the uplink / outside interface, not the interface with IP addresses assigned to you by your ISP.

Router-INTERNET#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0         23.12.143.75     YES NVRAM  up                    up
GigabitEthernet0/1         132.95.160.113  YES NVRAM  up                    up
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down
Router-INTERNET#

ISP <---> g0/0---G0/1-->Inside

The command to set a source interface or IP on a cisco Router for backing up to tftp is:

router(config)#ip tftp source-interface GigabitEthernet0/1

router# copy running-config tftp

Now when you copy to your tftp server, it will use the source interface GigabitEthernet0/1 with ip 132.95.160.113, which is your company public IP.

FIXED: Slow Internet Browsing Using Sophos UTM Is Now Fixed

I'm happy to report that after a few months of using Sophos UTM hardware appliances, browsing the internet is now fast or should I say user acceptable level.

The fixed was to upgrade the Sophos UTM to 9.205-12.  Before the upgrade, I had to disable Sophos web filtering.  Now, it works just fine after upgrading to the new software.

How to add devices using Self Service Portal in Sophos Mobile Control (SMC)

After many hours of installing and configuring the Sophos Mobile Client Control, I found out there's no steps to add your mobile devices in any of their docs.  They have so many docs on the SMC, but none on the info you want. 
You have the Super Admin Guide, the Admin guide, the startup guide, the install guide, the SMC as service guide, the technical guide, and on and on.... and on.

All I want is to install the SMC software, add my iPhone, Android phone, tablet, and manage it in less than 10 - 20 minutes.

I installed the Sophos Mobile Control software and I was able to login. But spent hours trying to find out how to add devices to the SMC server.  Needless to say, they need to have simpler docs. 

Well, if you want a simple way of installing the SMC server and immediately add devices to it and start managing it, here are the steps.  Skip to the bottom "Add devices using Self Service Portal in Sophos Mobile Control (SMC)" if you can already login to SMC.

Installing the SMC Server software:  (skip this step if you already installed the software)
1. install the Windows O/S and or SQL server.
2. Download the SMC Mobile Control software from Sophos.
3. Install the .exe software.  Follow the instruction on screen.  When ask for the SQL server, you can point to a remote SQL server or use local. 
4. Create an superadmin account to login:  admin user to login to the SMC WEB gui.
5. Take defaults for the rest when you can.
6. done.  You're done with the install.

Login to the Sophos Mobile Control SMC server:

1. To login, go to the url:  https://IP-Address-of-SMC-server/
2. login with admin / yourpassword, the superadmin account you created during the install.

Create a Customer in SMC:

1. You have to create a customer and login as the admin user of that Customer to add and manage mobile devices. 
A customer is your company / organization.  From here on, you should always login to the customer and add / change any iPhone, Android, devices, etc. and modify mobile profiles.

2. If you don't create a customer, it won't work.


Add devices using Self Service Portal in Sophos Mobile Control (SMC):

Adding mobile devices, ie, iPhones, Android, Windows phone, Tablets to the SMC server is quite simple.  You can have the user do it without the Administrator involve.

1.  Access the SMC self service portal URL:  https://IP-Address-of-SMC-server/ssp/
2.  Login with an Active Directory user / group allowed to be controled by SMC mobile control.  I just create a new AD group and add users with mobile phones I want to manage.
    (you setup the external Active Directory by login as the customer then, --> Settings-->System Setup-->user setup tab.

3.  From here on, I let the users add their own devices to the SMC server themselves without administrator involvement.
    a.  Users would need to go to their iPhones, Androids, Windows Phones, tablets and open a browser, ie. safari.
    b.  They go to the Self Service Portal URL: https://IP-Address-of-SMC-server/ssp/
    c.  Enter the Customer or company name and Active Directory user/password
    d.  After you login, you will see a button to "Register New Device"
    e.  Click on it and follow the on screen prompt and enter your telephone number, or you'll need to UPDATE the phone number by login as admin in SMC SERVER.
    f.  After a few minutes, you will get a "Configuration Finished", then click on "OK"
    g.  done. and Logout.
  
Option 2:
1.  You, the Administrator, login to the SMC server with the customer admin user:
go to Inventory --> Devices --> click on Create Device.
        Enter the 3 mandatory fields:
            Name:
            Description
            Phone number
you're done.








Tell me how this works for you.

Sophos UTM Running Slow 2

From the previous post:

Sophos UTM Running Slow

Update: It did not work.  After installing the active / active license and changing the HA MODE, and upgrading the firmware on the Sophos UTM, the internet is still slow.  If we disabled UTM, web browsing is super fast.
There was a slight improvement but I'll say it's about a 5% improvement compare to not switching to a active/active configuration.

Before the active/active mode change, we had a complete loss of web browsing for about 20 - 30 seconds.  And it would happen 3 times a day.  Now, the complete loss of internet browsing is solved, but it's still noticeably slow.  Sometimes it still takes 20 - 30 seconds to browse to your regular news or yahoo or any normal big websites.

So, at this point Sophos UTM is slow.  I'm hoping the next firmware upgrade will fix this.

I have high hopes for Sophos, since it's really user friendly.

Leave a comment if it happens to you.

Easy Steps: Config Netflow, Syslog, SNMP on Cisco ASA Firewall

Config Netflow on Cisco ASA to Send to your Netflow collector:

conf t

access-list ACCESS-LIST-NAME line 1 extended permit ip any any ( capture all IP source/destination for Netflow)
      flow-export destination INSIDE 10.2.2.2 2055 (ENTER your IP address to send netflow data and port number. Default netflow port is 2055)
      class-map global-class1 (Create a global class name to apply to all interfaces on the ASA)
        match access-list ACCESS-LIST-NAME ( The Access-list named above)
      policy-map global_policy
        class global-class1 (the same global-class1 created above.)
          flow-export event-type all destination 10.2.2.2 (To send all netflow events to the Destination IP)


Config SNMP traps on the ASA to send to your SNMP SERVER:

snmp-server host <ASA Interface name> <SNMP SERVER IP> poll community <community string>
snmp-server enable traps


Config SYSLOG on ASA to send to your syslog server:

There are many freeware syslog servers out there to use as your syslog server, ie. kiwi syslog or WhatsUpGold.  I like WhatsUpGold better as a syslog server.

logging enable
logging timestamp
logging buffer-size 20000
logging buffered critical
logging trap critical
logging history critical
logging asdm critical
logging host INSIDE <IP address of your Syslog Server>
logging class auth trap informational

Sophos UTM Running Slow

 We have our Sophos Appliance SG330 running for over a month now and it is running slow.  Users are experiencing slow internet access.

We had upgraded our Sophos UTM 425 to the newer SG Series.  And this saw a slight improvement.  The SG series is supposed to be the fastest UTM on the block.  It’s a big step up from the older version UTM 425.

In our office, we have about 150 users and I don’t think they all access the internet at the same time. 

We are only doing single scan (sophos scan) and no Avira Scan.

Users are experiencing marked slowness when browsing the internet.  Just going to normal sites, like cnn.com, yahoo.com, google.com, etc. are all super slow.  Going to any https site is even slower.

A few times during the day we can’t get to the internet at all.  But I can ping google, yahoo, etc.  We just can’t browsed to any site using any web browser.

Our internet speed to the internet is over 100Mbps.  We don’t use more than 20mbps at any particular time.

The browser would hang for 20 seconds and all of a sudden, it loads and we can access the internet again.

It seems to happen a few times a day.  Like I said pings to the internet is okay, it never timeout, but no user can browsed to the internet.

It seems that the Sophos UTM is not able to handle the load.  According to the Sophos Sizing Guide, it should be able to handle 400 users with ALL UTM Module subscriptions enabled.

So, today we upgraded the firmware of our Sophos SG330 from 9.201-23 to Current firmware version: 9.203-3.

We also changed the Sophos HA mode from Active/Standby to Active/Active.  In my next post, I will describe how to upgrade to an Active/Active configuration.

So far, after a few hours, users are saying they see faster internet access.  No complaints yet. 

Will give an update in a week.  Wanted to let it baked in and see user experience.

See updated post:  Sophos UTM Running Slow 2