Harden Cisco IOS Devices

Similar Messages

• Enable "linemode" on Cisco IOS device

  Hi Experts,
  I would like to monitor some telnet traffic with a tcpdump/wireshark. As I know because of the mode between Telnet Client and Telnet Server these "double-characters" appears (when client type something):
  From Cisco device we can connect to another device in line mode with a command like this:
  connect 10.0.0.1 /line
  But is there a way to use this option on all my VTY lines, on my AccessServer (2811 router)?

  Hi,
  There isn't any specific command to activate a tunnel using 3DES and the only thing is, the isakmp and ipsec policies should match on both the sides, which you are already aware of.
  Regards,
  Arul

• Snmp tool to upload\dowload config on cisco ios devices

  Friends,
  please let me know if there any free tools available for uploading and downloading configurton via snmp v2c rw access.
  I have checked and many are trail versions
  thanks

  Well at least for download I used Kiwi Cattolls you can have up to 25 nodes with the free license.
  Also I used a plink script, but this is via SSH
  Check this also: https://supportforums.cisco.com/discussion/11531891/automatic-config-backups-routers-catalyst-switches-and-asa

• Syncing notes, highlights, and bookmarks between iOS devices

  Hi,
  I've decided to digitize my technical library by purchasing ebooks from now on. The problem is which ebook format to go with. My ideal requirements would be to be able to purchase books from various sources and be able to read them both on my Mac and on iOS devices. Additionally, I want to be able to sync the highlights, bookmarks, and notes among all of these devices.
  Currently, the real winner that satisfy all of these conditions is Amazon mobi format. The only problem is that I can only purchase books from Amazon if you go with this platform.
  On the other hand, Apple iBooks is a close second here - the lack of a solution for a Mac is a problem, but I am hoping that Apple is working on the iBooks application for the Mac. The syncking of notes, highlights, and bookmarks among various iOS devices is a nice feature, and it does not require a tethered connection to iTunes - instead, these items they can now sync wirelessly among devices on the same iTunes account.
  My question is if the syncing of notes, highlights, and bookmarks works only with ePub books purchased from the Apple's iBooks store or if this feature works with unprotected ePub books purchased elsewhere and loaded on iOS devices via the iTunes syncing feature. For example, most of the technical books I am going to be digitizing are Cisco books published by Cisco Press. As of late, most of their ebooks are available in the unprotected ePub format, and I would be using the iBooks app to read these books. So, if I were to purchase ebooks from Cisco Press, would I be able to to make a note in a book on one iOS device (e.g. iPad), and later see this note in the same book on my iPhone?
  Thanks!

  This page http://support.apple.com/kb/HT4059 says (I havn't tried it though) :
  iBooks will automatically remember where you left off each time you close a book or return to your Home screen. Tap the bookmark icon in the upper-right corner to bookmark a specific page. Wirelessly sync your Bookmarks, Highlights, and Notes with your other devices using your iTunes Store account by tapping Settings > iBooks > Sync Bookmarks > ON.

• ASA 5510 Remote Access iOS devices issue

  I'm having a weird issue that just cropped up in the last week or so. Previously, ipads and iphones were working fine on our IPSec VPN, but now they don't work at all.
  The iOS device throws one of two errors:
  1. "Negotiation with the VPN server failed." (asks for user and pass first, then gives this error after about 30 seconds)
  2. "The VPN server did not repond." (might just be intermittnet 3G network I'm testing over)                  
  If the error is #1, the ASA says this:
  tacacs+ and aaa debug:
  user: testuser
  Tacacs packet sent
  Sending TACACS Start message. Session id: 11763, seq no:1
  Received TACACS packet. Session id:1263956303  seq no:2
  tacp_procpkt_authen: GETPASS
  mk_pkt - type: 0x1, session_id: 11763
  mkpkt_continue - response: ***
  Tacacs packet sent
  Sending TACACS Continue message. Session id: 11763, seq no:3
  Received TACACS packet. Session id:1263956303  seq no:4
  tacp_procpkt_authen: PASS
  TACACS Session finished. Session id: 11763, seq no: 3
  crypto isakmp debug (Negotiation with the VPN server failed.):
  Jun 11 15:09:57 [IKEv1]: IP = 174.232.18.200, IKE_DECODE RECEIVED Message (msgid=ad46fa43) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing hash payload
  Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing delete
  Jun 11 15:09:57 [IKEv1]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, Connection terminated for peer testuser.  Reason: Peer
  Terminate  Remote Proxy N/A, Local Proxy N/A
  Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, IKE SA AM:b19cbbe4 terminating:  flags 0x0941c801,
  refcnt 0, tuncnt 0
  Same error with a different debugging level and another tunnel group:
  Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, User (testuser) authenticated.
  Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Assigned private IP address 10.1.50.175 to remote user
  Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Forcing iPhone to host mask. <--is this forcing the mask to 255.255.255.255 because the iphone requires that?
  If the error is #2, the ASA says this:
  Jun 11 15:13:18 [IKEv1]: IP = 174.232.18.200, Connection landed on tunnel_group MobileDevices
  I've changed a lot of settings, but I haven't gotten anywhere. I've tried different tunnel groups and connection profiles. This setup works fine on a Windows computer with the Cisco VPN Client (5.0.07). ASA is running 8.2(5), split tunnel, no pfs, group name and psk, tried with and without peer ID validation, NAT-T (udp 500, 4500).
  Any ideas? Thanks in advance.

  Solved.
  Static Nat is solution.
  I have created rule as follows:
  nat (inside,outside) source static 192.168.1.0_24  2.2.2.2 destination static 172.16.1.0_24 172.16.1.0_24 no-proxy-arp

• Basic questions about CISCO IOS

  Hi everybody, Jack here,
  I have some basic questions about the Cisco IOS, could someone help me addressing some of them please? Any feedback would be greatly appreciated.
  Basically, I have two IP addresses assigned by our Cable ISP. From what I understood you can configure a Cisco router for multiple IP addresses using the IOS, thereby allowing someone like myself to take advantage of having multiple IP addresses. This may seem unnecessary to some, but I've always wanted to put the 2nd IP address to use, since after all, I've been paying for it.
  I was just wondering if someone could confirm that what I'm hoping to accomplish is indeed within the capability of the Cisco IOS (i.e. Fully utilize my 2 IP addresses). As well, if someone could kindly suggest a decent CISCO router for online gaming home use that would be super awesome!
  Thank you all so much for reading through the wall of text:)
  Jack

  Jack
  Certainly using multiple IP addresses is in the capability of Cisco IOS routers. How they can be used depends on the relationship of the IP addresses. I am assuming that we are talking about IP addresses assigned for the user to use and that the IP address for the ISP connection is not one of these that we are talking about.
  If both of the IP addresses that you have been assigned are within the same subnet then you would assign one of the addresses to the router interface to establish IP communication between the router and the ISP and to enable Internet connectivity for the devices inside your network that will use the router as their gateway to the Internet. The other address that is assigned can be used for address translation and in particular for static address translation which would make one of your devices inside to be reachable for connections initiated from the Internet (if that is something that you might want to do).
  If the addresses that are assigned to you are in different subnets then you could assign one address to the outside router interface and assign the other address to the router inside interface. Or you could use the second address for address translation.
  I do not have much expertise with online gaming, but I would think that either the Cisco 881 router or the 890 router might be appropriate for you. If 100 Mb connection is sufficient then probably the 881 would be the one to look at. If you need Gig connection then look at the 890.
  HTH
  Rick

• Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring

  Hi all,
  I am implementing Cisco Prime Collaboration to monitor the quality of the VoIP call.
  I am following all the steps that I have to do to accomplish this task at this link:
  http://docwiki.cisco.com/wiki/Setting_up_Devices_for_Prime_Collaboration_Assurance#Configuring_Unified_Contact_Center_Enterprise_Devices
  And now I am arrived on this step:
  Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring
  Not all the Cisco devices that I have on the network are "Mediatrace, IP SLA and Performance Monitoring" capabilities. The core switch is one of them.
  What will happen if some devices are configured with these capabilities and some are not?
  Are the data provided from Cisco Collaboration still reliable?
  Thanks in advance.
  Luigi

  I can't see a reason why the 2 features won't work together. The 2 features will work just fine with each other.
  Unfortunately there is no sample config with both feature in the same document, but it will work just fine.

• Hairpin Turn on an IOS device?

  I have remote access VPN users terminating their connection to the outside of my router, how do I let them use my internet connection?
  I know that in 7.0 code for the PIX/ASA the keyword "same-security-traffic permit intra-interface" will accomplish hairpin turns, does IOS devices have a similar command?

  Here ya go...Public internet on a stick for ios.
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
  Please rate if it helps.

• ISE profile / posture IOS device

  is there a way to profile or posture an IOS device as to wheather or not it has been rooted?
  our Corporate policy would like to say that if rooted, you get zero access.
  Thanks
  Scott

  No - future MDM integration that Cisco is working on should be able to bring is type of information to ISE. Cisco have indicated MDM integration is coming in Q4 2012.
  Sent from Cisco Technical Support iPad App

• Cisco IOS XE is vulnerable to CVE-2014-0160 - aka Heartbleed CSCuo19730 on Cisco 4500E IOS XE?

  Hello Experts,
  I need to find out what exact IOS XE software version on Catalyst 4507E will affect by Heartbleed.
  Cisco WS-C4507R+E
  WS-X45-SUP7-E
  Thanks in advance.

  @apieper, looking at the bug details, it doesn't look like you are affected.
  Conditions:
  Cisco IOS XE devices running release 3.11.0S, 3.11.1S or 3.12.0S and with the WebUI interface over HTTPs enabled. No other versions of Cisco IOS XE are affected.
  Devices with the WebUI interface enabled and using HTTPs as transport protocol will include the following configuration:
  transport-map type persistent webui http-webui
  secure-server
  ip http secure-server
  transport type persistent webui input http-webui
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPs as transport protocol are NOT AFFECTED by this vulnerability.
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S and with the HTTPs server enabled (by including in their configuration the line "ip http secure-server") are NOT affected. Both the HTTPs server and the WebUI interface need to be enabled for a device to be vulnerable.

• Cisco View Device Manager

  Hi,
  is there anybody who can tell me how to bring the Cisco View Device manager for 6500er up? I've installed the CVDM V.1.1 in the bootflash of my 6500er, IOS version is 12.2(18)SXF4 enterprise services. Installed java on the client is v.1.4.2_06. After launching the CVDM whithout proxy settings the windows starts gathering information, after a few seconds it stops with an error "java.lang.NullPointerException". This failure appeared with Mozilla 2.0.0.8 and IE 6.0, on the 6500er all vty lines are idle. Is anybody here who can help to solve the problem?

  Here the text from the readme file; try to get the zip-file via the Bug-Id:
  09-December-2005
  This patch provides fix for the following bug:
  CSCsc10956 - CVDM 1.1 does not work with 12.2(18)SXF
  SUPPORTED IOS VERSION:
  12.2(18)SXF
  SIZE:
  5,593,057 Bytes
  DOWNLOADING AND MOVING FILES TO TFTP SERVER:
  cvdm-c6500-1.1-CSCsc10956.zip contains the following two files
  * cvdm-c6500-1.1.tar and
  * cvdm-c6500-1.1_K9.tar (for Cisco IOS Cryptographic software)
  Unzip cvdm-c6500-1.1-CSCsc10956.zip and copy one of the tar files to a TFTP server
  Make sure to enter filenames exactly as they appear; (filenames are case-sensitive).
  TRANSFERRING FILES TO YOUR SWITCH:
  Step 1 : Access the switch CLI using a Telnet connection or the console port.
  Step 2 : Transfer the files from the TFTP server to the bootflash of the switch. Issue
  the following command:
  # archive tar /xtract tftp:// / bootflash:
  where is the filename of the CVDM-C6500 tar file you want to install
  and is the IP address of the TFTP server. Make sure to enter filenames
  exactly as they appear (filenames are case-sensitive). Make sure you are not in
  configuration mode when issuing the archive command.
  Step 3 : If you are not in configuration mode, issue the following command:
  # configure terminal
  Step 4 : Set HTTP server and path. For example:
  # ip http path bootflash:
  Please refer cvdm-c6500-1_1_readme.pdf in http://www.cisco.com/cgi-bin/tablebuild.pl/cvdm-6k for
  further details on CVDM-C6500.

• Problems connecting IOS devices with new Comcast wireless cable modem?

  Just installed a new cable modem from Comcast, it is their new high speed unit manufactured by Cisco. of the three IOS devices I've tried, all running currently the OS , are having problems connecting with  the error "Unable to join the network " Home-XXXX" if you keep asking it may connect but I have to be persistant.  My Devices are iPad 4 g Retna with 30pin connection, an iTouch ,latest model with camers, and current iPad mini. is it me or the modem?

  You have probably already solved this issue, but I would hide the comcast wifi network (dont broadcast ssid) and make the password very hard. Make sure that put it on channel that does not conflict with your Airport Extream.
  Connect the Comcast modem/router to the airport extream's wan port with an ethernet cable.
  Comcast usually ships the DHCP enabled. Use the comcast DHCP server for your airport.
  Configure the airport extream to "create a network" set the network to "bridge mode".
  Name your network, broadcast the ssid all on the airport. Now all your devices will connect everytime. Use can use the Comcast "private" wireless network for maintenance, etc.
  Just some thoughts... good luck

• Nat in Cisco 4900M device

  Hi there
  Do you know if it´s possible to configure NAT in a Cisco 4900M device?, Is it possible upgrading the IOS version? or we only can do it with a Cisco 6500 device
  Version 15.0(2)SG, RELEASE SOFTWARE (fc4)

  Layer 3 switches, except for the 7200, will NEVER support NAT.  Period.

• Sleeping iOS Device, Waking Up After Roam & EAP Authentication

  Has anyone here (Scott Fella, maybe?) experienced an iOS device waking up from sleep and completing a successful EAP authentication?
  All the Cisco recommended WLC tweaks discussed on these forums (load balancing off, lower data rates disabled, etc.) have been implemented.  The WLAN is very well designed with proper SNR, channel separation, etc.  Still, iOS devices will wake up having roamed to a new AP and take 20 seconds or more to authenticate.  This is in a retail environment with customers staring, waiting.  20 seconds can be a long time with a customer staring at you.  Non iOS devices do not have the issue.  iOS devices on an open SSID do not have an issue, so I'm questioning EAP timing and wonder if anyone here can chime in with suggestions.
  Any insight appreciated.

  It should be done within seconds. Could you give us the output of the following commands?
  Show sysinfo
  Show wlan x
  Debug mac x from an client waking up?

• The registration authority's response is invalid when provisioning iOS devices

  I'm working on a BYOD deployment and I've run into a snag. When a windows PC runs through the provisioning process they recieve a certificate without any issues, but iOS devices fail with the error: The registration authority's response is invalid.
  Any ideas on what is causeing this?

  To upload offline client provisioning resources, complete the following steps:
  Please update the patch useing the below details and try it.
  Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
  Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
  Choose from the following Off-Line Installation Packages available for download:
  •win_spw--isebundle.zip— Off-Line SPW Installation Package for Windows
  •mac-spw-.zip — Off-Line SPW Installation Package for Mac OS X
  •compliancemodule--isebundle.zip — Off-Line Compliance Module Installation Package
  •macagent--isebundle.zip — Off-Line Mac Agent Installation Package
  •nacagent--isebundle.zip — Off-Line NAC Agent Installation Package
  •webagent--isebundle.zip — Off-Line Web Agent Installation Package
  Step 3 Click Download or Add to Cart.