Cisco

Linksys/Cisco Wireless Router – Firmware Upgrade – Project?!

I have a friend who’s home public IP is DHCP, and they have an IP-enabled thermostat for their house. I set up a free DNS “A” record from DynDNS.com, so they could access the thermostat remotely without having to remember the IP address. The URL is something simple like http://myhome-freedns.com. Since the public IP is dynamic, I set up a service on their home PC that automatically updates that free DNS “A” record to reflect the new public IP (whenever it changes). This is called Dynamic DNS (DDNS). The problem with all of this is that the home PC must be turned on whenever the DNS “A” record needs to be updated. At this point, I figured I would leverage his Linksys BEFW11S4 wireless router to handle the DDNS updates.

Upon logging into the router, I discovered the DDNS service was no where to be found! Soon enough I figured out that the firmware had to be updated, which introduces the DDNS service. Downloading the firmware was simple enough, and the upgrade *should* have been straight-forward too – log into the router, go to the corresponding page for firmware updates, browse to where the file is saved, and update.

Unfortunately it wasn’t that easy. I was getting the error of “”Upgrade action is not finish. Upgrade file pattern error.” If the grammatical error was not bad enough, not being able to upgrade the firmware easily became frustrating! A simple Google keyword search resulted in a Linksys forum page with the same issue. It appears that the naming convention that Linksys gives their firmware files is not compatible with their own products! Simply renaming the file from “BEW1.52,blah blah.bin” to “code.bin” allowed the router to read the file and update the firmware successfully. No numbers, no mid-way periods, no commas – just “code.bin”.

After the update, DDNS was available on the router, and is now successfully updating the DNS “A” record as needed, without the use of a PC-based service.


The Cisco PIX, its PDM, & Java

If anyone is lucky enough to still be working on Cisco PIX’s, then you are probably aware of one of the worst Cisco GUI’s known to man – the PIX Device Manager (aka PDM). Recently, I tried connecting to a PIX 501 through the PDM. The initial log-in screens appeared, but would get stuck at this screen:

pix-pdm

The window would completely hang up. My initial thought was since this PIX is physically located far, far away (in Europe, over a slower DSL line), perhaps the PDM is having trouble loading the data. The next step was to connect to a server where the firewall is located, and try the PDM from there. Unfortunately, I had the same trouble.

I had remembered that a while back, on another PIX, I had to remove the “pdm location” entries from the config. I tried that next, and tried the PDM from both locations (remote and local) – same outcome.

Lastly, I turned to good ‘ol Google, and came across a Cisco Wiki article about the problem. Turns out that the culprit is the version of Java being used. Yes my friends, the PDM uses Java. Useful because Java is non-operating system dependent, but a pain because the PDM has since been phased out and only works with older versions of Java. I removed the latest version of Java (from the remote server), downloaded and installed version 1.4.1, and successfully logged into the PDM!

Eventually this PIX will be replaced with an ASA 5505, which introduces a nice CLI and the successor to the PDM, the ASDM.


CCNA/S – Cisco Certified Network Associate Security

Recently I went was sent by my employer to a training class to start on the Cisco career path towards getting my CCSP (Cisco Certified Security Professional) certification. I chose on taking the training offered by Global Knowledge for the Cisco IINS. Taking this class also came with a TWO FREE VOUCHERS to take the IINS 649-554 certification exam. What that means is you can take the test for free two times (if you should fail the first time through). But wait, there’s more! If you fail twice, you can then retake the class for free! Definitely worth the price of admission. The class is one week long, all day – which most Global Knowledge classes (and similar institutions) are. After taking this class and passing the exam, I received my CCNA Security certification.

The other benefit of this certification is that it renews the length of how long your previous certification is good for. Each Cisco certification is good for three years (most of them), so the CCNA certification that I received in June 2007 has been upgraded to the CCNA/S – good through the end of 2011. When the expiration time draws closer, you need to re-certify or move up the certification scale. According to Cisco, this keeps your knowledge sharp of your certification. I agree with this completely. The technology is always changing, and if you aren’t forced to re-certify, Cisco isn’t aware you know the latest stuff.

Certifications don’t always guarantee a pay raise at your current job, or necessarily land you a job, but it definitely looks great on your resume and shows you are serious about your career. In this economy, who couldn’t use the help with their resume to make it stand out from the rest?


Cisco Client VPN Over Remote IPSec Tunnels

Here’s the set up – Client VPN connections from remote employees (at home let’s say) make a VPN connection to Firewall “A”. That same firewall has an IPSec connection to another Firewall, “B”, which is a remote office. Why can’t I get traffic to pass from the Client VPN to Firewall “B”?

Config changes on Firewall “A”:

  • Added the split-tunneling details for the Client VPN, so that the tunnel identifies the subnet for Firewall “B” as interesting traffic.
  • Modified the crypto-map for the tunnel between Firewall “A” and “B” to protect traffic from the Client VPN subnet to the Firewall “B” subnet.
  • Added a NoNAT statement for traffic from the Client VPN subnet to the Firewall “B” subnet.
  • Standard ACL for the “inside” interface is already set as “allow ip any any”.

Config changes on Firewall “B”:

  • Modified the crypto-map for the tunnel between Firewall “B” and “A” to protect traffic from the Firewall “B” private subnet to the Client VPN subnet.
  • Added a NoNAT statement for traffic from the Firewall “B” subnet to the Client VPN subnet.
  • Standard ACL for the “inside” interface modified to “allow ip any any” for traffic from the Firewall “B” subnet to the Client VPN subnet.

I’m obviously missing something, somewhere. I’m thinking it has to do with the crypto or interface ACL’s. When I find the answer, I’ll post the follow-up.

1 Comment more...

Cisco-Live: Orlando, Florida – June 22-26, 2008

Have at it Cisco Fan-boys and girls. I wonder if the natural balance of universe will be affected with all of “us” in this one place at one time.

Overview: 

“The Cisco Live Conference in Orlando, Florida is this year’s premiere event for IT and communications professionals. For 2008, a Cisco Live registration gives you access to three separate programs for one price including: Networkers, IT Insights, and Cisco Developer Services Programs.

Cisco Live provides training, insight, and education to over ten thousand Cisco customers and partners and is home to the US Networkers program. It’s the place to learn new technologies, discuss business trends, share ideas, and network.

With its featured programs for network engineers, network developers, IT managers, and senior business executives, Cisco Live in Orlando, Florida will be the premiere event for IT training, education, and insight. Join more than ten thousand Cisco customers, partners, and industry peers for Cisco Live 2008.”

Activities and Events:

“In addition to technical and business programs, Cisco Live will feature a variety of activities and events for you to connect, network, explore, and have fun.

From the Collaboration Zone—an innovative digital environment designed to unleash your imagination—to a special customer appreciation event featuring performances by Blue Man Group and Barenaked Ladies, there’ll be something for everyone.

Join your colleagues for the back-by-popular-demand Guitar Hero III contest, an interactive drum circle, and exclusive access to Universal Studios’ Backlot rides and attractions.

At Cisco Live, you’ll find plenty of opportunities to learn, interact, and socialize.”


ASA/PIX Fanboys – “They are not routers!”

Do any Google or Yahoo (etc) search for “cisco asa pix routing”, and more times than none you’ll get the popular fanboy reply of “They are not routers!” Basically if you need to route traffic from your firewall to another router, you’ll have problems doing so.

Say for example your internal subnet is 10.0.0.0/24. The firewall is the only “routing” device in your network, and the inside interface is the default gateway for all of your devices (ex 10.0.0.1/24). Now let’s say you connect your LAN to another LAN (with a router) in the same building, subnet 10.10.0.0/24. How will you route traffic from your LAN to the other? Try applying an internal route for that on the firewall – it will take the command, but it won’t work. Fanboys, rejoice!

Typically the only way around this would be to install a router on your network which then becomes the new default gateway for your LAN. Then with the appropriate routing statements:

ip route 0.0.0.0 0.0.0.0 10.0.0.1     <— inside interface of the firewall
ip route 10.10.0.0 255.255.255.0 10.0.0.10    <— new subnet and router between subnets

So as much as it pains me to say, a router is really the best way to go, when, you need to route traffic. However, it would be nice if the firewalls would support some basic in-out-same-interface routing. I’m not asking for administrative distance support, or additional routed protocols, just some good ‘ol IP routing!


Copyright © 1996-2010 JasonPuzio.com. All rights reserved.
Jarrah theme by Templates Next | Powered by WordPress