Blog: Cisco

I recently migrated a pair of ATMs from behind a Microsoft Threat Management Gateway to a Cisco ASA.  During this cutover, the change was done very quickly so the VPN traffic for the ATMs was not interrupted. [more]

A few weeks later the ATMs started having problems when the Internet connection was disrupted. The VPN tunnels were connected, but the ATM provider was receiving reset packets from the ATMs. I discovered the ATMs were communicating with the ATM provider using TCP port 2000.

Normally TCP 2000 is used by the Cisco Skinny Client Control Protocol (SCCP) and traffic inspection for SCCP is enabled on the ASA by default.  The packet resets stopped after removing SCCP inspection from the global policy list.

To disable SCCP inspection on the ASA:

CiscoASA# conf t

CiscoASA(config)# policy-map global_policy

CiscoASA(config-pmap)# class inspection_default 

CiscoASA(config-pmap-c)# no inspect skinny


 

When you look at a MAC address on a Cisco router or switch, it is displayed as 4 digits dot 4 digits dot 4 digits.  Windows displays them with dashes between each byte and Linux colons between each byte.  Many people edit mac addresses to change them to the Cisco format in order to paste them into a Cisco config.  You can just remove the dashes or paste with colons and Cisco devices will accept the MAC address; however, they will not take dashes as delimiters.


 

On newer model Cisco small business switches, the interface VLAN mode designation is different than what you might expect:

  1. The default mode is "Trunk".  This is not the same as "switchport mode trunk" on enterprise Cisco switches.  This mode can be left as is for plugging in a host, but is actually best used when setting up link aggregation.
  2. The "Access" mode is similar to the "switchport mode access" command on enterprise Cisco switches and is the mode that should be used when setting up multiple VLAN access on a switch.
  3. The "General" mode is comparable to the "switchport mode trunk" command on enterprise Cisco switches.  This is the mode an interface should be set to when Dot.1Q VLAN tagging needs to be configured.

 

While doing research on Cisco firewall logins, I stumbled on some information that discusses a Wireshark feature called “Follow TCP Stream”.  This feature allows you to follow a particular TCP conversation between two or more hosts. It finds all the TCP packets between a particular source and destination and reassembles the data that was transferred in that particular exchange into something parsable. In effect, the “Follow TCP Stream” feature acts as a filter, but is not limited to a single IP address or protocol.  It will pick up any packets sent to/from the designated host.

 

To get the feature to work, simply start Wireshark and select an already recorded packet you are interested in by right clicking and selecting “Follow TCP Stream”.  Users can also elect to follow UDP or SSL streams.


 

Gotcha 1:   An alternative to using TFTP for transferring files to and from network devices is SCP (secure copy).  SCP uses port 22 just like SSH.  I’ve encountered two “gotchas” with using SCP with Cisco equipment, though.  1) WinSCP is not compatible with Cisco equipment.  2) PSCP (PuTTy SCP) requires the use of the –scp switch, because it defaults to the SFTP protocol.

Gotcha 2:  ESXi 5.1 has new hardware requirements.  The requirements can be found here and the VMware Compatibility Guide allows you to search vendors and servers to see if they are compatible.  (In particular, the feature that was missing from Crowell State Bank’s servers was the NX/XD CPU feature.)

Note that ESXi 5 (Patch 4) or higher is required to run Windows Server 2012.


 

The control-plane option is used to apply an access-list to traffic destined to the device itself.  Normally, access-Lists applied to interfaces control traffic flowing through the ASA.  When the “control-plane” tag is added, the access-list is used to control traffic that terminates on the ASA.  This can be beneficial if you want to limit the traffic that is permitted to terminate on the ASA (i.e. VPN related traffic). 

access-group device_access_in in inside control-plane [more]

One important thing to note is that access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than an access list applied with the “control-plane” option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by access list with the “control-plane” option.


 

I had been helping a vendor install Cisco VPN Client and the installation kept failing with “Error 27850.  Unable to manage networking component.  Operating system corruption may be preventing installation.”

As it turns out, there was other VPN software installed and bound to the local network adapter.  Windows 7 has a default maximum number of 8 network filter drivers it can have assigned to the network adapter. 

The image at the following link shows a good example of adding more than 8 network filters to an adapter: https://supportforums.cisco.com/thread/2015629#3067225

The maximum number of filter drivers for Windows 7 can be set to 14.  To increase the value from the default, the change must be done in HKEY_Local_Machine\System\CurrentControlSet\Control\Network\MaxNumFilters.  Increasing the value to 14 allowed the Cisco VPN Client installation to complete.


 

While testing a honeypot solution on our network I noticed some interesting traffic.  I was seeing consistent UDP broadcasts (port 43440) from various ThinkPads on our network.  The packet showed "Lenovo ThinkPad" in clear text but nothing else helpful.  After more research I discovered these broadcasts were generated by the power management driver on the Thinkpad.  The only way to stop the broadcasts was to stop the power management service.

But it seemed odd the power management service would send UDP broadcasts.  More research indicated this was part of the Cisco EnergyWise initiative.  This is designed to allow hardware manufacturers a method to manage power settings on network-attached devices via a Cisco switch.  Several hardware companies are on-board but Lenovo appears to be the only PC or laptop manufacturer that's participating. [more]

Links:
http://forums.lenovo.com/t5/T61-and-prior-T-series-ThinkPad/ThinkPad-Power-Manager-3-52-pwmewsvc-exe-broadcasting-data/ta-p/439107
http://www.cisco.com/en/US/solutions/ns726/intro_content_energywise.html


 

Cisco IOS devices can use virtual tunnel interfaces (VTI) in order to create a GRE tunnel interface that is protected by IPSec.  Configuration of the encryption protection is performed from within the GRE tunnel interface.

You still need a pre-shared key, and other IPSec configuration options to match (such as ISAKMP policies and transform sets). 

I have not tested a VTI tunnel using NAT or PAT.  (I believe that PAT is incompatible with VTI connections, because all traffic uses GRE packets, which cannot be port address translated.)


 

After working with SecurID to migrate to a new server (which requires a complete new server, fresh install of the software, access to the original seeds, backup and restore of the current database, etc.), we finally got the RADIUS server responsive, but I still could not get it working with the Cisco routers.  One particularly aggravating issue that held me up for a while is that the router not only allows for the configuration of multiple RADIUS servers, but it allows multiple entries for the same server.  Thus, if you initially use the wrong port numbers, and you re-enter the line with the correct port numbers, the line with the incorrect information will remain active and your RADIUS tests will continue to fail.

Lesson learned:  Sometimes you have to read through your configuration again, to make sure everything is the way you “know” it is.