CiscoNews, News, Reviews and Guides

How to Encrypt your ISAKMP keys in the running config!

Rich — Fri, 31 Oct 2008 21:55:13 +0000

Here is a quick and dirty config tip.

If you look at your running config you will notice that your ISAKMP keys are stored in plain-text. In other words, unencrypted. This still stands after issuing the “service password-encryption” command.

Click more to find out how to encrypt those keys using AES!

So, what we start out with looks something like this:

crypto isakmp key myweakpassword address 1.1.1.1

What we ideally want to do is encrypt this password to prevent a potential leak of the config causing you problems, not to mention just so that you can follow best practice!

All we need to enter is the following two lines of config:

MyRouter(config)#key config-key password-encrypt thisismyencryptionpassword
MyRouter(config)#password encryption aes

Easy right? Ok lets verify this works by issuing the “sh run”:

crypto isakmp key 6 V]PMeY]cO[TQ[EWaQ\[D`XViUTA`LZMVR_[[SUQVgF address 1.1.1.1

Hope that helps!

Verify your IOS before reloading that router!

Rich — Tue, 22 Jul 2008 10:41:31 +0000

A lot of cisco techs are in the same position. You only have remote access to a router but need to perform an IOS upgrade. This might be to squash a bug or simply because Cisco TAC will not proceed with a TAC case until you do so.

How do you verify that the IOS image has not been corrupted between cisco.com and your device? Read on to find out!

All of the IOS downloads have an MD5 sum that identifies the original unaltered files. MD5 hashing is basically a way of taking an input, in this case the IOS, running it through a hashing algorithm and coming up with a string/Value. The important thing to note here is no matter who runs the IOS through the hashing algorithm, the output will always be the same. If even a slight change has been made to the file then the output will be different.

So, once your IOS is on the router you need to do the following:

router#verify /md5 disk0:c1700-advsecurityk9-mz.123-14.T7.bin

At this point the router will respond with the hash value of the file you have uploaded which can now be compared to the hash value from cisco.com. If these values do not match DO NOT RELOAD THE ROUTER!!! If you do the chances are you will end up with a paper weight until you can get out to site.
You should re-upload the IOS to ensure that it is correct and perform the above again. If you get a mismatched input then the chances are the IOS on your TFTP server is corrupt and you will need to re-download from Cisco.com.

Hope that helps you avoid those “uh oh” moments when a device doesnt return to service!

Thanks for reading.

Cisco related Ebay Bargains!!

Rich — Mon, 21 Jul 2008 19:45:33 +0000

As any of my colleagues will tell you, I suffer from what is almost an addiction to buying tech related items.
To name a few of my Ebay Cisco bargains, I picked up an ACS 1113 appliance for £129 and sold it for £1200, bought a Cat 500 24 port switch for £35 and an AP1242 for £70.

Its at this point that I am going to point you towards our ebay Feed, which will bring up any Cisco related Auction Items that are in their last 4 hours. This way you will never miss another bargain!

Check it out HERE!

Cisco VPN on iPhone

Rich — Mon, 21 Jul 2008 18:22:48 +0000

As some of you may know, Cisco VPN support was added to the iPhone as of Firmware 2.0.
I have tested the functionality and can report that not only does it work, but it is very easy to set up.

I tested the functionality last night by connecting into both of our Hosting site VPNs. It literally is as simple as configuring Cisco’s own VPN client.
Once configured you get a VPN section in the “settings” menu of the phone.
Multiple VPNs are possible too which was a concern when I first set out to configure it.

Anyway, I would post a config guide but it is very basic to set up. If you run into any issues leave a comment and we will see what can be done!

Cheers,

Cisco IOS - NEW Feature

Ray — Tue, 15 Jul 2008 08:32:47 +0000

Starting from IOS 12.4T Cisco are offering the facility for object groupings, those who use ASA/PIX will already be famliar with this concept. Benefits include allowing easier management of larger access lists as well as reducing configuration sizes. This can be implemented as follows:

Step 1. Define the Object Group:

! Define network type object-groups to group IP hosts and networks object-group network Engineering
10.240.12.0 255.255.255.0
10.245.10.0 255255.255.0
object-group network Web-Servers
10.1.1.0 255.255.255.0
host 10.10.10.100
object-group network Mail-Servers
10.32.1.0 255.255.255.0
! Define a service type object group to group you protocols and ports
object-group service Web-ports
tcp www
tcp 8080
object-group service Mail-ports
tcp smtp
tcp pop3
tcp 587
tcp 143

Step 2. Use Object Groups in ACL Configurations:

ip access-list extended access-policy
10 permit object-group Web-ports object-group Engineering object-group Web-Servers
20 permit object-group Mail-ports object-group Engineering object-group Mail-Servers

(All Examples used here and other new features can be found here)

Training Resources - CBT Nuggets

Ray — Fri, 11 Jul 2008 09:59:32 +0000

I was surprised recently when an IT professional told me they hadn’t heard of CBT nuggets! I thought I better put text to screen and quickly explain this valuable training resource…..

CBT Nuggets are short videos (nuggets) of information relating to specific areas of IT in relation to current exams. In short CBT Nuggets are a perfect accompaniment to the self studying students array of study guides, software and notes, great to quickly run through before an exam as well as providing the viewer with a good visual on the product/topic.

The videos are done by experts in the related fields, for example CCIE’s demonstrating various Cisco products and how to use them. Jeremy Cioara is one of the well known Cisco trainers, holding numerous qualification himself including multiple CCIE’s! His enthusiasm is present throughout the videos and really helps you to secure the knowledge, although it may border on fanaticism at times.

(Jeremy has his own blog at ciscoblog.com check it out! lots of interesting stuff)

Good Luck and get using CBT Nuggets!

Bluetooth to Serial adapters for Cisco Console Access

Rich — Fri, 11 Jul 2008 09:36:33 +0000

It seemed like a good idea to me, and when searching I found this:

http://www.microdirect.co.uk/ProductInfo.aspx?ProductID=17745&source=googleps

They aren’t cheap that for sure. Security also starts to become a concern, but I can imagine these being exceptionally useful. With the prevalence of Bluetooth in laptops it looks like a tidy idea!

Let us know what you think in the comments section!

New Cisco Router! SR 520

Rich — Wed, 09 Jul 2008 19:10:58 +0000

Looks like there will be new Cisco routers available soon. It was only a matter of time given the release of the 888, 860, 861 etc, especially given that an ADSL router wasn’t released at the same time.

Release notes here:

http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_15xz/rn_SR520xz.html

ASPROX SQL Injection Attacks - Block them using a Cisco router

Rich — Wed, 09 Jul 2008 09:40:01 +0000

Here is an interesting one.

Basically, the ASPROX SQL Injection attack appears to be quite commonplace at the moment, but also quite serious.
To cut it short, there is a 20,000 strong botnet out there trying these attacks against websites which use .asp.
The tool actually uses google to search for these sites and then attempts to exploit them by inserting an HTML iFrame which downloads a malicious Java Script which then installs a Trojan.

Carry on reading to find out how to block this on a Cisco router!

The config is as follows, please bare in mind that you will probably need a reasonably specced router and IOS for this. IP CEF is a pre-requisite. I have tested this on 7200 series, 1700 series and 2600 series so far, leave a comment if you have sucessfully tried this on another router!

Config:

The below access list and route-map is used to take any packets that have been tagged with a DSCP value of 1 and route them to a non-existant interface. You will learn how to tag them below!

access-list 130 permit ip any any dscp 1

route-map ASPROX_POLICY_ROUTE_BITBUCKET permit 10
match ip address 130
set interface Null0

The below class-map basically tells the router that we want to match when a specific string is seen in a URL. In this case, the string is part of the get request that the attack uses. Note the “\” which are needed before any bracket as a delimiter!

class-map match-any ASPROX_CLASS
match protocol http url “*DECLARE%20@S%20VARCHAR\(4000\);SET*”

The Policy-map below basically tags any packet matching the above class-map with a DSCP value of 1.

policy-map ASPROX_POL
class ASPROX_CLASS
set ip dscp 1

The rest of the config attaches both the route map and the Service policy to the interface.

Interface FastEthernet0/0
ip policy route-map ASPROX_POLICY_ROUTE_BITBUCKET
service-policy input ASPROX_POL

To confirm that this is being hit you can do a “show policy-map interface” on the router. You should see the packets incrementing. This of course assumes that you are actually seeing the traffic
If not, you could craft the URL yourself to confirm. So, taking this site as an example it would be:

www.cisconews.co.uk//?DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST

You should then see the packets increment.

Bare in mind that Microsoft released a tool to audit your source code for these vulnerabilities:

http://support.microsoft.com/kb/954476

Let us know if this was of any use to you in the comments!

Cisco IOS Packages

Ray — Fri, 13 Jun 2008 10:32:02 +0000

I have always found looking for a new router IOS quite a long process to ensure you pick not only a reliable IOS but one that has the correct functionality.

Believe it or not ‘if like me you had never actually counted’, in the past Cisco have had 48 available packages boasting different critical functionality such as cryptographic features or advanced routing capabilities and protocol support. Choosing the correct package could prove quite difficult, now however Cisco IOS packaging has changed in an attempt to improve the customer experience.

Cisco have now reduced the packages available to 8!, some of which you may recognise from the original available options. There is also the same shift in switch IOS as there is now only a small selection of critical feature sets to choose from which start from basic L2 services to added L3 functionality. The aforementioned ‘critical service’ packages are designed in a hierarchical model and designed to sit on top of each other so for instance, should you choose a package at the top level you will inherently gain all the ‘critical service’ functionally of the levels below.

Please see the following Cisco links for visual representations of the currently available packages, and happy choosing!….

Routing - http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html
Switching - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/prod_bulletin0900aecd80281b17.html