Cisco IOS AnyConnect SSL VPN Configuration

15 September 2011

Cisco have been pushing the new versions of their AnyConnect client for some time now. They have also announced as End of Sale the traditional IPSEC based client which has been around for a number of years. This means that the IPSEC client will not be available on new OS platforms and is also not supported on 64 bit platforms.

The new client is the AnyConnect Secure Mobility Client which will be the platform to use moving forwards.

At the head end, both Cisco ASA Firewalls, and IOS based routers with the correct software image are supported. Licenses are required on both platforms – which is a change from Cisco as on the ASA platform in particular, the cost of IPSEC VPN was bundled into the unit cost.

Attached is a sample config for an IOS based router. You will need version 15 to get this to work properly.

ip http server enable
ip http secure-server enable
!
ip local pool client-pool 10.255.255.1 10.255.255.10
!
webvpn gateway SSLVPN
ip address X.X.X.X port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3096684075
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.0.3054-k9.pkg sequence 1
!
webvpn context SSLVPN
ssl authenticate verify all
!
!
policy group SSLVPN_Policy
functions svc-required
svc address-pool “client-pool”
svc keep-client-installed
svc split include 10.1.200.0 255.255.255.0
svc split include 192.168.100.0 255.255.255.0
default-group-policy SSLVPN_Policy
gateway SSLVPN
max-users 10
inservice

Barry Hesk

HP launch new enterprise security software packages

13 September 2011

Hewlett Packard (HP) have announced new enterprise security software packages based on products that have been aquired in the last couple of years.

ARCSight, TippingPoint and Fortify Software have been combined into a single overarching management platform to give a central view of network operation and risk management.

Barry Hesk

Diginotar SSL certificate attack

6 Sep 2011
It’s been widely reported in the press that Dutch Certificate Authority (CA) Diginotar was breached by hackers. As a result, 531 digital certificates were fraudulantly issued including for several *.google.com domains.

A good article describing what happened is available here:

http://www.theinquirer.net/inquirer/news/2106065/major-domains-targeted-diginotar-ssl-attack

Mozilla (author of Firefox) has taken the unique step of removing Diginotar’s root CA from it’s trusted list within its broswer; this means that Firefox will no longer trust ANY site that is using a cetificate that was issued Diginotar.

Expect the fallout from this to continue for some time yet….

Barry Hesk

Cisco ASA 8.3 NAT

Cisco ASA Version 8.3 (and now 8.4) has been out and shipping for quite some time. Based around our own experiences, and some feedback from customers we’ve been researching.

The following link provides a really helpful overview of what has changed in version 8.3 and higher.

http://www.thenetworker.co.uk/blog/?p=1

It’s fair to say that NAT in 8.3 does cause confusion and is a radical departure from what was in place previously. In our minds, it’s much more aligned to the way that Checkpoint perform NAT on their platforms. It is also worth pointing out that in our experience, migrating from 8.2 to 8.3 does not work smoothly, or in some cases at all, and you will almost definitely need to rebuild your NAT from scratch at version 8.3. If you’re planning an upgrade to 8.3 or 8.4 please bear it in mind, and that you may need to completely rework your NAT. For most people this is not a massive issue as typically you may have a couple of static NAT entries, some exclusions for VPN traffic, and a dynamic interface based statement to catch everything else. However, if you have anything a little more complex, like policy NAT make sure you test and test again to ensure it’s all working ok.

Barry Hesk

Cisco Unity Connection 8.5 Installation Woes

Aug 27 2011
It’s been brought to our attention that there are a number of issues relating to a new installation of Unity Connection 8.5. Various problems have been reported including the installation DVD failing a media check, the installation process hanging for 30 minutes or more, and various other crashes being reported.

We are currently trying to define a process for a smooth installation and will post back here when we’ve finished our testing. It may be worth going straight to the newest release – version 8.6, rather than going with 8.5.


This link gives a few more details.

Barry Hesk

Cisco EoS Announcements

Aug 2011

In recent weeks, Cisco Systems have announced a slew of End of Sale (EoS) notices including the entire Unity voicemail line (as predicated by Intrinsic in an earlier post)

Unity is now officially EoS with Unity Connection being the recommended replacement product. Cisco Speech Connect, which provides Speech Recognition services to voicemail deployments is also EoS as a standalone product, as it has now been integrated into Unity Connection 8.5.

Also subject to EoS are the Cisco 7921 wireless handset (replaced with the more expensive 7925 version) and a couple of Gigabit models of the 2960 switch which are replaced with 2960S versions. Cisco 7911 handsets are also now EoS with the recommended replacement being the 6921.

Barry Hesk

RIM Announce MVS Version 5.1

11 May 2011
RIM used this year’s Blackberry World Conference to announce MVS version 5.1. This is an update to the already Generally Available version 5.0 which brings Voice over WiFi support to Cisco Unified Communications Manager and Cisco Unified Communications Manager Express PBX platforms.

MVS Version 5.1 extends the PBX support to Avaya and Nortel PBX systems widening it’s appeal.

An interesting additional feature is the ability for the hand held to detect when it’s WiFi signal is weakening to the point of being unusable and warning the user before the call drops.

We’ll be testing version 5.1 and will report back here.

Barry Hesk

Well.. It’s happened already!

09 May 2011
It’s happened a little quicker than we expected. One of our clients requested a new block of IP addresses from their ISP. Guess what, IPv6 addresses were allocated to them with the ISP saying that they didn’t have any IPv4 addresses left.

Fortunately, the client has equipment in the form of firewalls, IPS and routers that can all handle IPv6, however they are now asking serious questions about how IPv6 to IPv4 interworking is going to work.

Equally as fortunately, we’ve been preparing for this and can offer advice and guidance on what will, and won’t work. As we move forward, this is something that a lot of businesses, including ourselves, are going to have to consider.

Barry Hesk

Cisco Identity Services Engine Announced

20 April 2011
Cisco Systems announced on 19/3/2011 their new Identity Services Engine (ISE) platform which is the one of the main components of their over arching Trustsec architecture.

The full product brief is here:
Cisco ISE

ISE according to Cisco will tactically replace the existing NAC Appliance deployment model. NAC appliance will still be supported by Cisco and isn’t end of sale at the time of writing, however according to Cisco┬áall new┬áinstallations should be delivered on ISE once it is shipping.

The ISE platform, according to the Cisco product release material, also seems to be targetted as a replacement for Cisco Secure ACS and migration part codes are available. Some ACS configurations do however require version 2.0 of the ISE software to become available before migration should be attempted.

AIM2-CUE in 2900 Series ISRs

18 April 2011:Another little gotcha for you.

The AIM2-CUE modules do NOT work in the new 2900 series ISR G2 platforms. They’ve been around (and are still shipping) for the 2800 series platforms, however they will neither fit nor work in the 2900 series units.

The replacement part code is ISM-SRE-300-K9 which will need CUE 8.x loading on it.

Also, licensing in CUE 8.x has changed and you now no longer receive any port or user licenses as standard (you used to receive 6 port licenses and 12 mailbox licenses as part of the AIM2-CUE bundle). The part codes that now need to be ordered are:

L-FL-CUE-PORT-2=
L-FL-CUE-IVR-2=
L-FL-CUE-MBX-5=

 These are the VM port licenses (in blocks of 2), IVR (including database access again in blocks of 2) and mailboxe licenses (in blocks of 5). 

The Version 8.x GUI has now changed radically as well, and you can no longer use it to configure CUCME.

´╗┐