WAN encryption in cisco 805

Similar Messages

• Encryption on Cisco 7940, 6921, 6941, 8961 & ATA 187

  Hi,
  We have CUCM ver 8.5 (Cluster of 2 servers, publisher & subscriber) registered with multiple 7940, 6941, 6921, 8961 phones along with few ATA 187 boxes. Everything is working fine but suddenly now business wants to enable security by encrypting data flow from few of these phones. These include 7940, 6921 and 8961 series phones, for testing purpose we had arranged the 2 security dongles needed for certificate generation. Followed each step whatever has been given in the below link.
  https://supportforums.cisco.com/docs/DOC-18834
  Observation :- Cisco 7940 Phones (SCCP)
  CTL file is succesfully downloaded but when trying to push LSC  from call manager through "CAPF information" using "Authentication String" getting  "TLS error to x.x.x.x" after the phone power cycles (reset). Also once the authentication string is put on "LSC" under the "security settings" we get a "Connection Failed" error.
  Due to which we are unable to register the phones using secure profile (LSC not getting downloaded).
  Cisco 69xx Phones(SCCP)
  No security related settings seen on the phone itself --- do we need a specific firmware load / Call manager version for security to work on these phones (Cisco 69xx phones).
  Update - Upgraded cisco 69xx phones to load version 9.1.1, now able to see the securuty settings
  But still facing the same issue faced for 7940 phones, also the logs int the .txt file are similar. (pasted below)
  Also as per cisco document these phones support security, link below...
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/6921_6941_6961/8_0/english/admin/guide/6921net.html#wp1092086
  Didnt try any further with 8961 & 6921 phones as got stuck with the above 2 phones.
  Troubleshooting Done:
  Checked & verified the serial number of the certificates on call manager (CAPF.pem & CallManager.pem with CTL contents), verified the hash value of CTL file with the CTL file downloaded on phone everythings is perfect and matching but still the LSC`s are not getting downloaded on the phone.
  Also there is no cer files generated in the path below except for the .txt file (screenshot below).
  "file list activelog /cm/trace/capf/sdi"
  common error seen in the .txt file is as pasted below..
  16:20:21.474 |   debug ERROR:10.1.200.45: SSL3 alert write fatal handshake failure
  16:20:21.474 |   debug ERROR:10.1.200.45: capfSSLHandShake Handshake failure
  16:20:21.474 |   debug ERROR:Failed SSL handshake, calling capfReleaseSession() on deviceId: (null)
  16:20:45.549 |   debug FD_ISSET i=0, SockServ=15
  16:20:45.549 |   debug Accepted TCP connection from socket 0x00000015
  CUCM ver - 8.5.1.10000-26
  7940 Load information - P00308010200
  6941 Load INformation - 8.5.1.66.22
  Any help will be highly appreciated.....

  Hello, did you solve this issue?
  We are facing a similar situation, kindly add any solution
  Appreciate your reply
  Regards,
  Mathew

• MD5 Encryption in cisco IOS

  Hello,
  the encrypted password (MD5) in my Cisco devices is in 30 characters instead of 32.
  could someone let me why is not in 32 characters ? can I see the saved password in 32 characters ?
  Many thanks for your help.
  Regards,

  Check the links below...
  http://www.oracle-base.com/articles/9i/StoringPasswordsInTheDatabase9i.php
  http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_obtool.htm
  -Ammad

• WPA2 Aes encryption on cisco 1121G AP

  hi
  i wanted to increase the security on my 1121G accesspoint by enabling wpa2 with aes encryption. in a test environment i set this up and i configured my wireless client to connect, my wireless client (ibm thinkpad t42p with 11a/b/g Wireless LAN Mini PCI Adapter II has the ability to either select WPA or WPA2 and whether you use TKIP or AES. i selected WPA2 and AES enter the encryption key which i had entered on the AP and i connected,
  i change the settings on the client to WPA and TKIP and entered the same encryption key and i managed to connect as well, which puzzles me, when i enter an incorrect encryption key it won't associate.
  is this normal behaviour or do you think i have configured something incorrectly on the 1121G AP?
  i have attached my config and have removed some personal data.
  many thanks
  rogier

  i have finally figured it out, it is the windows client or mac clients being very smart, if you configure your windows client to use WPA instead of WPA2 and select TKIP instead of AES encryption somehow it figures out this is incorrect and automatically sets the WPA to WPA2 settings and changes TKIP to AES encryption, i am amazed, i finally figured it out when a windows machine which did not have the windows patch to allow it to connect to WPA2 could not connect, only after installing the WPA2 patch would it connect. in the AP log it always showed as logging in with the WPA2 EAS encryption.
  i guess windows xp is a bit smarter than i originally thought

• What encryption is used to encrypt the Cisco Secure ACS: SE backup file?

  What algorithm and key strenght is used when I check the Encrypt Backup File option in ACS:Solutions Engine?

  The ACS backup is encrypted with RC2 40 - method RC2 40 bits encryption. The encryption
  option allows to further encrypt the already encrypted database, for the transmission
  between ACS & the ftp server.
  Regards,
  ~JG
  Please rate helpful posts

• Cisco WLC in High Availability over WAN

  Hi my name is Ivan i have a trouble perhaps could you help me...
  I have two cisco wlc 5508. I wan to install them in two differents site. One WLC in the site A and the another WLC in the site B.
  Site B is the WAN of the site A. The site A is the headquarter.
  But i need to configure them in High Availability. For example if the Cisco WLC in site A goes down, the ap's have to registered in the WLC of the site B.
  Then the traffic LWAPP have to pass over the WAN between site A to site B.
  I have to configure two cisco wlc in HA over a WAN . Please could help me to do this?. Is ok configure the roamming L3 intercontroller?
  Thanks for your answers
  Regards
  Ivan,
  AP'S - WLC - SITE A ----WAN-----WLC - SITE B - AP'S
  WLC SITE A   DOWN = AP'S SITE A REGISTERED IN WLC SITE B

  Hi Surendra thanks for yoru answer.
  Surendra, if the ap in the site B (in the WAN) goes down then the traffic lwapp have to pass over the wan,
  what will should i do to ensure access point can register on to the cisco wlc in the WAN, moreover to configure the mobility groups in both wireless lan controllers?
  or i only have to configure in the wlc the mobility groups? Could you explain me what things have i to do to ensure this
  SITE A - (ACCESS POINT M)  - LWAPP -----PASS OVER WAN---- SITE B - CISCO WLC - (ACCESS POINT M)
  STATUS: REGISTERED IN SITE B
  Thanks for your answer
  IVAN
  Regards

• How to implement XP Cisco VPN client. Please help!!!

  Hi,
  I am trying to configure remote access for XP desktops using CVPN client software and a Cisco 805 router with IOS IPSec capable( authentication should be local). The remote desktops are behind adsl router wich does nat translations but allow IPSes passthrough.
  I have configured it but does not working.
  Can you please help me?
  Thanks in advance
  David

  Hi guys, Solved.
  This very useful link:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7d54c/0
  David

• Cisco 877w -Configuration of subinterfaces and main interface within the same bridge group is not permitted

  Hi,
  I have another problem - after upgrade ios wirelles connection not work.
  After reload i have :
  Configuration of subinterfaces and main interface
  within the same bridge group is not permitted
  STP: Unable to get the port parameters.
  Please configure the bridge group on this interface first.
  Please configure the bridge group on this interface first.
  Please configure the bridge group on this interface first.
  SETUP: new interface NVI0 placed in "shutdown" state
  my old configuration work propertly in the old software, but after update i have notificatio.
  Old thread:
  https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
  my current sh run:
  version 12.4 
  no service pad 
  service tcp-keepalives-in 
  service tcp-keepalives-out 
  service timestamps debug datetime msec localtime 
  service timestamps log datetime msec localtime 
  service password-encryption 
  hostname cisco 
  boot-start-marker 
  boot system flash:c870-advipservicesk9-mz.124-24.T6.bin 
  boot-end-marker 
  logging message-counter syslog 
  logging buffered 4096 informational 
  enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s. 
  aaa new-model 
  aaa session-id common 
  dot11 syslog 
  dot11 ssid ciscowifi 
   vlan 1 
   authentication open 
   authentication key-management wpa 
   guest-mode 
   wpa-psk ascii 7 050D031D26595D0617 
  dot11 wpa handshake timeout 500 
  ip source-route 
  no ip dhcp use vrf connected 
  ip dhcp excluded-address 192.168.56.1 
  ip dhcp pool CLIENT 
     import all 
     network 192.168.56.0 255.255.255.0 
     default-router 192.168.56.1 
     dns-server 8.8.8.8 194.204.159.1 194.204.152.34 
     lease 0 2 
  ip cef 
  no ip domain lookup 
  no ipv6 cef 
  multilink bundle-name authenticated 
  username marek password 7 00121A0908500A 
  archive 
   log config 
    hidekeys 
  ip tcp path-mtu-discovery 
  bridge irb 
  interface ATM0 
   description Polaczenie ADSL do ISP$ES_WAN$ 
   no ip address 
   no atm ilmi-keepalive 
   pvc 0/35 
    encapsulation aal5mux ppp dialer 
    dialer pool-member 1 
   hold-queue 224 in 
  interface FastEthernet0 
   description Edzia 
  interface FastEthernet1 
   description dom 
  interface FastEthernet2 
   description Dziadek 
  interface FastEthernet3 
  interface Dot11Radio0 
   no ip address 
   no ip redirects 
   ip local-proxy-arp 
   ip nat inside 
   ip virtual-reassembly 
   no dot11 extension aironet 
   encryption vlan 1 mode ciphers tkip 
   encryption mode ciphers aes-ccm tkip 
   broadcast-key change 3600 
   ssid ciscowifi 
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 
   station-role root 
   world-mode dot11d country AU indoor 
   no cdp enable 
   bridge-group 1 
   bridge-group 1 subscriber-loop-control 
   bridge-group 1 spanning-disabled 
   bridge-group 1 block-unknown-source 
   no bridge-group 1 source-learning 
   no bridge-group 1 unicast-flooding 
  interface Dot11Radio0.1 
   description ciscowifi 
   encapsulation dot1Q 1 native 
   no cdp enable 
  interface Vlan1 
   no ip address 
   bridge-group 1 
  interface Dialer0 
   description Interfejs dzwoniacy 
   ip address negotiated 
   ip nat outside 
   ip virtual-reassembly 
   encapsulation ppp 
   dialer pool 1 
   dialer-group 1 
   ppp chap hostname [email protected] 
   ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx 
  interface BVI1 
   description Polaczenie dla sieci LAN 
   ip address 192.168.56.1 255.255.255.0 
   ip nat inside 
   ip virtual-reassembly 
  no ip forward-protocol nd 
  ip route 0.0.0.0 0.0.0.0 Dialer0 
  no ip http server 
  no ip http secure-server 
  ip nat inside source list 100 interface Dialer0 overload 
  ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80 
  ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22 
  logging trap debugging 
  logging 192.168.56.10 
  access-list 100 permit ip 192.168.56.0 0.0.0.255 any 
  access-list 100 deny   ip any any 
  no cdp run 
  snmp-server community ciskacz RO 
  snmp-server chassis-id ciskacz 
  control-plane 
  bridge 1 protocol ieee 
  bridge 1 route ip 
  line con 0 
   no modem enable 
  line aux 0 
  line vty 0 4 
   exec-timeout 0 0 
   transport preferred ssh 
   transport input ssh 
  scheduler max-task-time 5000 
  end 
  please help - thanks!

  Hello Marek,
  I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
  In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
  Remove the Dot11Radio0.1 subinterface entirely
  In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
  In the dot11 ssid ciscowifi section, remove the vlan 1 command
  After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
  Best regards,
  Peter

• Need to block rv110w access to router from wan

  Is there any way to block access to the router logon page from the wan?  By simply going to the router's external WAN IP, the cisco logon screen shows up?  I really think this not that safe and want to block it from showing up.  I have looked at all the settings and don't seem to be able to find something that will keep that from happening.
  Thanks
  M

  Hello Michael,
  You can disable remote management via Firewall --> Basic Settings. In the basis settings page there should be an option to enable remote managment. Make sure that option is unchecked.
  Hope this helps.
  -john

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• Cisco SG 300 fropping internet frequently

  I have an ASUS RT-AC87U router that routes my WAN to a CISCO SG-300 managed switch. The switch keeps dropping internet connection after 2-3 minutes. I only get internet back after doing;
  Restarting the Router
  Unplugging-Replugging the WAN cable on the switch
  It’s so disturbing, I need help

  I have an ASUS RT-AC87U router that routes my WAN to a CISCO SG-300 managed switch. The switch keeps dropping internet connection after 2-3 minutes. I only get internet back after doing;
  Restarting the Router
  Unplugging-Replugging the WAN cable on the switch
  It’s so disturbing, I need help

• Cisco RV016 und EWE vDSL

  Hallo an alle
  wir stehen kurz vor einen wechsel zu EWE Tel, damit wir endlich einen vDSL 35000 leitung bekommen. Nun haben wir einen Fritzbox zugesand bekommen und ich frage mich gerade wie ich das nun mit meine RV016 kommunizieren lassen kann.
  Im Moment ist der RV016 mit 2 WAN ports an 2 DSL Modems eingerichtet (Telekom DSL 3000). Ich möchte keine Fritzbox nutzen für mein Firmennetzwerk sondern nach wie vor meine Cisco. Aber ich finde so wenig material darüber wie ich z.b. noch ein WAN Port freischalte und wie ich dieser zu konfigurieren habe damit der mit dieser Fritzbox (die zwingend gebraucht wird laut EWETel).
  Es muss doch irgendwie eine einstellung geben das die vDSL leitung über die Fritzbox an mein Cisco ankommt und ich dieser WAN Port dann benutze so wie ich jetzt beide andere Wan ports benutze?
  Wenn mir jemanden einen Tipp geben kann wo ich das in irgendwelche Forums finden kann wäre ich sehr dankbar. Wenn es jemanden gibt der das schon hinbekommen hat noch viel mehr.
  Greetz
  Sosy
  ps. das supportforum hier ist mal wieder eine katastrophe, nix ist mit German language auswählen usw. Typisch für solche anbieter.

  Hallo Herr Licheva,
  es ist mir schon klar, daß ich im WAN immer eintscheiden muss, ob ich über einen vorgeschalteten Router direkt ins Internet will oder PPTP-Verbindung machen möchte. Ich komme aber ins Internet mit der Fritzbox (192.168.1.x) und ich verbinde jetzt den WAN-Port des CISCO-Routers mit einem freien LAN-Port der Fritz-Box. Nun soll der CISCO-Router eine VPN-Verbindung zu dem Portunity-Dienst aufbauen. Über diesen Tunnel bekomme ich dann eine feste IP-Adresse, die ich für den Zugang an einen NAS-Server nutzen möchte.
  Das Problem besteht nun darin, daß der CISCO-Router nicht weiß, daß sein Standard-Gateway und sein DNS-Server auf der Fritz-Box liegen. Gibt es überhaupt keine Möglichkeit, dem Cisco-Router zu sagen, wenn er die PPTP-Verbindung aufbauen möchte, möge er die 192.168.1.1 als Gateway und als DNS-Server nutzen ?

• Wan Utillization issue

  We are currently experiencing high utillization on our regional WAN connections.
  In this scenario, we used to track this situation using IP accounting on the WAN interfaces.
  We recently upgraded WAN routers to cisco WS-C6509-E Mutilayer switches.
  When we tried to perform IP accounting on these devices, We get a warning <Accounting will exclude mls traffic when mls is enabled>
  That way we cannot track the defaulting hosts.
  Does anyone have an idea how we can overcome this

  Looks like once on board the cat6k ship, you're going to need to switch gear to NetFlow instead:
  http://www.ciscosystems.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800a7af1.shtml#ip_accounting
  "IP Accounting excludes MLS traffic
  In the Cisco Catalyst 6500 series, Multiple Layer Switching (MLS) is deployed in such a way that once a flow is established, traffic is directly switched at PFC (hardware-switched) and is not processed by the MSFC, hence the lack of continuous accounting. Only new or process-switched flows (software-switched) is recorded by IP accounting when enabled, and even then only until the entry is entered into the database. Thus, the previous warning message is normally displayed when you enable IP accounting on such a platform.
  6500(config)#int fa8/40
  6500(config-if)#ip accounting
  Accounting will exclude mls traffic when mls is enabled.
  NetFlow accounting is the preferred method. Refer to Configuring NetFlow for more information regarding to NetFlow."

• USB port on Cisco routers to connect 4G datacard

  Hello
  Can anybody know about the following questions?
  1) Which router having USB port on which we can connect 4G datacard for internet connectivity?
  2) Is there any inbuild USB port available on 1921-SEC/K9, 2921-SEC/K9, 3925-SEC/K9 routers for connecting 4G datacard for internet connectivity?
  3) Is there any WIC card available that will be having USB port for connecting 4G datacard?
  Regards,
  Mukesh Kumar
  Network Engineer
  Spooster IT Services

  1) Which router having USB port on which we can connect 4G datacard for internet connectivity?
  None.  USB ports do not have adequate capabilities to power up those kinds of devices.
  2) Is there any inbuild USB port available on 1921-SEC/K9, 2921-SEC/K9, 3925-SEC/K9 routers for connecting 4G datacard for internet connectivity?
  Cisco Fourth-Generation LTE Wireless WAN Enhanced High-Speed WAN Interface Cards Data Sheet
  Q&A:  Fourth-Generation LTE Wireless WAN Cards for Cisco Integrated Services Routers Generation 2

• WS-4500X-32 Support for TrustSec MACsec Encryption

  Hello all,
  Does anyone know when will the WS-4500X-32 support the TrustSec MACsec Encryption ?
  Thanks!
  David

  Hi,
  MACSec support on the Catalyst 4500X as from IOS XE 3.5.0. As per the New Software Features in Release IOS XE 3.5.0E section of the release notes:
  MACSec Encryption on Cisco Catalyst 4500-X
  IEEE 802.1ae MACSec Layer 2 encryption
  IEEE 802.1ae MACSec encryption on user-facing ports
  IEEE 802.1ae MACSec encryption between switch-to-switch links using Cisco Security Association Protocol (SAP)
  Regards