Skip to Content

September 2006

PIX Authentication Using Local User Database (and Kiwi CatTools)

Sun, 2006-09-24 14:30

So here's the scenario I ran into...I just set up a new client for managed network services (where my company (AdTEC Networks) is doing the management). This client happened to have some fairly technical people on staff who wanted privileged mode access to the PIX firewall. No problemo...that is, until I received phone calls with people screaming, "THE NETWORK IS DOWN!!!"
There I am, feeling a cold drip of sweat trickling down the side of my face, scrolling through a running config on a PIX firewall. Aha! Who put that command there?!?! After removing the 'mystery' NAT statement, the network magically works again...now who's to blame...

Mmmmm...SNMP and Netflow Goodness.

Mon, 2006-09-25 05:59

I love SNMP and Netflow. There are so many SNMP-capable free / cheap utilities out there that give you some really good info about your network (Switch Inspector and PRTG are two of my favorites). I wish Cisco would come out with a certification that deals with nothing but SNMP and network monitoring (you can go through the entire certification track including the CCIE and find nothing mentioned about SNMP).
Anyhow, I just ran across someone who has created a blog dedicated to the topic. At a quick glance, it looks like some good stuff! Hopefully he adds more to it. Check it out when you have a chance.

It's Even Better: Cisco's Output Interpreter

Mon, 2006-09-25 06:44

A Cisco tech support email I received last week mentioned the ol' Cisco Output Interpreter utility on their website. This utility analyzes the output of various show / debug commands to decrypt their meaning and point out configuration or hardware errors on your router. I remember trying out the Output Interpreter a few years back and not being very impressed, but thought I'd give it a shot today.
I ran a "show tech-support" command on one of my routers and pasted it into the Cisco Output Interpreter...WOW! Has this utility improved. Not only did it mention that I was getting many buffer drops, but also had multiple security improvement recommendations (which I'll be implementing later today). The best part about it was this:

Cisco WebVPN / SSL VPN / Thin Client /

Mon, 2006-09-25 06:55

SSL VPNs are the future of VPN technology. While they are still brand new, "bleeding edge" sort of technology, they will eventually be how we run our VPN connections for most organizations. The concept is simple: HTTPS (SSL-based) web pages have used adequate encryption for years...why not harness the technology to create a "client-less VPN system," tunneling applications through the SSL connection.
For a user to connect to a SSL VPN, no client installation is necessary. Rather, they simply access a web page, authenticate, and minimize the web browser window. They're now on the corporate VPN.
There's more to it than this (such as JAVA client downloads may be necessary for full port forwarding capabilities, etc...). Cisco just published an excellent explanation / configuration document for the WebVPN/SSL VPN technology. Get it here.



Dr. Radut