Category Archives: Cisco Systems

Cisco APIC: New Certificate

2022-03-02API, Certificate, Cisco ACIAPI, Certificate, Cisco ACI, Cisco APIC, Postman, X.509Johannes Weber

This post is about adding an own (trusted) X.509 certificate for the HTTPS GUI of the Cisco Application Policy Infrastructure Controller aka APIC. You can do this via the GUI itself or via the API. Here are both ways:

Continue reading Cisco APIC: New Certificate →

DHCPv6 Relay Issue with Cisco ASA and Ubuntu

2022-02-17Cisco ASA, DHCP/DHCPv6, IPv6, LinuxCisco ASA, DHCPv6, Guest Post, IPv6, UbuntuUlrich Hauser

Some months ago, my co-worker and I ran into an interesting issue: a notebook with a newly installed Ubuntu 20.04 does only work with IPv4, but this office network is dual-stacked (IPv4 and IPv6). Other Linux clients as well as Windows and Mac systems still work fine. They all get an IPv4 configuration by DHCPv4 and an IPv6 configuration by stateful DHCPv6 from the same DHCP server, relayed by a Cisco ASA 5500-X. What’s wrong with Ubuntu 20.04?

Continue reading DHCPv6 Relay Issue with Cisco ASA and Ubuntu →

Cisco ESA: Mail Flow for Encryption Appliances

2021-08-24Cisco ESACisco ESA, CLI, Listener, Mail, Mail Flow, Message Filter, OpenPGP, S/MIME, SMTPJohannes Weber

The Cisco Email Security Appliance (ESA) is well-known for its very good Anti-Spam features. But it completely lacks a usable implementation for mail encryption with S/MIME or OpenPGP. That is: We are using other appliances for that such as Zertificon, SEPPmail, or totemo.

However, the Cisco ESA still remains the main MTA for incoming and outgoing mails, hence mails must be routed to the encryption appliance of your choice for signing/encrypting (outgoing) or verifying/decrypting (incoming) mails. Such mail routings should be done with CLI-only message filters, rather than content filters. Here we go:

Continue reading Cisco ESA: Mail Flow for Encryption Appliances →

Capturing – because I can: IS-IS, GLBP, VRRP

2021-01-30Cisco Systems, Network, RoutingCAPWAP, Ethernet, GLBP, IPv6, IS-IS, Preamble, ProfiShark, Profitap, VRRP, WiresharkJohannes Weber

I am constantly trying to add more protocols to the Ultimate PCAP. Hence I used some time in my (old) Cisco lab to configure and capture the following protocols: IS-IS, GLBP, and VRRP. And since Alexis La Goutte sent me some CAPWAP traffic, this protocol is also added. All packets are now found in another update of the Ultimate PCAP. Here are some details:

Continue reading Capturing – because I can: IS-IS, GLBP, VRRP →

Route-Based VPN Tunnel FortiGate <-> Cisco ASA

2020-12-09Cisco ASA, Fortinet, IPsec/VPNCisco ASA, FortiGate, Fortinet, IKEv2, IPsec, Route-Based VPN, Site-to-Site VPNJohannes Weber

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel FortiGate <-> Cisco ASA →

Route-Based VPN Tunnel Palo Alto <-> Cisco ASA

2020-12-02Cisco ASA, IPsec/VPN, Palo Alto NetworksCisco ASA, IKEv2, IPsec, Palo Alto Networks, Route-Based VPN, Site-to-Site VPNJohannes Weber

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a Palo Alto Networks firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

Continue reading Route-Based VPN Tunnel Palo Alto <-> Cisco ASA →

Workaround for Not Using a Palo Alto with a 6in4 Tunnel

2019-07-10Cisco Systems, IPv6, Palo Alto Networks6in4, Cisco Router, fail, Hurricane Electric, IPv6, Palo Alto Networks, Tunnel BrokerJohannes Weber

Of course, you should use dual-stack networks for almost everything on the Internet. Or even better: IPv6-only with DNS64/NAT64 and so on. ;) Unfortunately, still not every site has native IPv6 support. However, we can simply use the IPv6 Tunnel Broker from Hurricane Electric to overcome this time-based issue.

Well, wait… Not when using a Palo Alto Networks firewall which lacks 6in4 tunnel support. Sigh. Here’s my workaround:

Continue reading Workaround for Not Using a Palo Alto with a 6in4 Tunnel →

NTP Authentication on Cisco IOS

2019-05-17Authentication, Cisco Systems, NTPAuthentication, Cisco Router, Cisco Switch, MD5, NTPJohannes Weber

This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re getting an authentic NTP connection. Let’s have a look:

Continue reading NTP Authentication on Cisco IOS →

My CCNP TSHOOT Lab: The Overall Picture

2018-11-12Cisco Systems, IPv6, RoutingAuthentication, CCNP, Cisco Router, Cisco Switch, Dynamic Routing, EEM, FHRP, GLBP, GRE, IPv6, MD5, NTP, prefix-list, route-map, VRRPJohannes Weber

During the last few weeks I published a couple of blogposts concerning routing protocols such as BGP, OSPFv3, and EIGRP. (Use the “Cisco Router” tag on my blog to list all of them.) They are all part of my current Cisco lab that I am using for my CCNP TSHOOT exam preparation. While I depicted only the details of the routing protocols in those blogposts, I am showing my overall lab with all of its Cisco IOS configs here. Just to have the complete picture. There are a couple of not-yet-blogged configs such as VRRP, GLBP, NTP authentication, embedded event manager (EEM), or route-maps and distribute/prefix lists though.

Continue reading My CCNP TSHOOT Lab: The Overall Picture →

Using Cisco’s IOS Archive

2018-11-06Cisco Systems, Network, Tutorial/HowtoArchive, Cisco Router, Cisco Switch, Reload, Rollback, SCP, TFTPJohannes Weber

Cisco’s IOS offers an easy to use feature for configuration versioning to an external server such as TFTP or SCP. Furthermore, you can use IOS commands to compare any two snapshots and to roll back to one of them.

Continue reading Using Cisco’s IOS Archive →

EIGRP Capture

2018-11-01Cisco Systems, IPv6, RoutingAuthentication, CCNP, Cisco Router, Dynamic Routing, EIGRP, IPv6, MD5, pcap, ProfiShark, Profitap, WiresharkJohannes Weber

And again: Here comes a pcapng capture taken for the dynamic routing protocol EIGRP. If you want to dig into EIGRP messages, download the trace file and browse around it with Wireshark. Since I used both Internet Protocols (IPv6 and legacy IP), MD5 authentication, route redistribution, etc., you can find many different messages in it.

Continue reading EIGRP Capture →

Dual-Stack EIGRP Lab

2018-10-24Authentication, Cisco Systems, IPv6, RoutingAuthentication, CCNP, Cisco Router, Dynamic Routing, EIGRP, IPv6, key-chain, MD5, Redistribution, SummarizationJohannes Weber

Yet another routing protocol I played with in my lab. ;) This time: EIGRP, Enhanced Interior Gateway Routing Protocol, the ~~proprietary~~ distance-vector routing protocol developed by Cisco, which is now public available (RFC 7868). However, no third-party products in here but only Cisco routers. I am using named EIGRP for both Internet Protocols, IPv6 and legacy IP, along with MD5 authentication and redistribution from OSPF.

Continue reading Dual-Stack EIGRP Lab →

OSPFv3 with IPsec Authentication

2018-10-19Authentication, Cisco Systems, IPsec/VPN, IPv6, RoutingAH, Authentication, CCNP, Cisco Router, Dynamic Routing, IPsec, IPv6, OSPFv3, pcap, ProfiShark, Profitap, Redistribution, Security Association, SHA-1, Summarization, WiresharkJohannes Weber

Here comes a small lab consisting of three Cisco routers in which I used OSPFv3 for IPv6 with IPsec authentication. I am listing the configuration commands and some show commands. Furthermore, I am publishing a pcapng file so that you can have a look at it with Wireshark by yourself.

Continue reading OSPFv3 with IPsec Authentication →

OSPFv2 Capture

2018-10-11Authentication, Cisco Systems, RoutingAuthentication, CCNP, Cisco Router, Dynamic Routing, MD5, OSPF, pcap, ProfiShark, Profitap, Redistribution, SummarizationJohannes Weber

I already had an OSPFv2 for IPv4 lab on my blog. However, I missed capturing a pcap file in order to publish it. So, here it is. Feel free to have a look at another small lab with three Cisco routers and OSPFv2. Just another pcapng file to practise some protocol and Wireshark skills.

Continue reading OSPFv2 Capture →

Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet

2018-09-24Authentication, Cisco Systems, Fortinet, IPv6, Palo Alto Networks, RoutingAuthentication, BGP, CCNP, Cisco Router, Dynamic Routing, FortiGate, Fortinet, IPv6, Loopback, MD5, MP-BGP, Palo Alto Networks, Password, RedistributionJohannes Weber

While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks firewall, and a Fortinet FortiGate firewall. Following are all configuration steps from their GUI (Palo) as well as their CLIs (Cisco, Fortinet). It’s just a “basic” lab because I did not configure any possible parameter such as local preference or MED but left almost all to its defaults, except neighboring from loopbacks, password authentication and next-hop-self.

Continue reading Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP