tag:blogger.com,1999:blog-72670938833865230472012-02-16T17:53:52.426+08:00If all else fails... reload !! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.comBlogger341100tag:blogger.com,1999:blog-7267093883386523047.post-3843748156013820722007-10-01T17:46:00.000+08:002007-10-09T09:43:45.462+08:00

I feel crappy today. I just attempted to lab up the section which I had difficulty during my exam and guess what, the 5 bangs I've been trying to squeeze out of the router that day is streaming effortlessly now in front of me. I'm pretty sure that I'm recreating it now the same way as what I had in my exam. I remember thinking when I started reading the exam that it should be a straightforward

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-47219482761763757712007-10-01T15:55:00.000+08:002007-10-01T15:58:56.856+08:00

I just recently discovered about CCIE Pursuit Blog in one of my RSS feeds. This excellent blog is exactly what I am trying to accomplish with my blog. That is if only I can put in more time to update this blog.Fellow CCIE candidates will surely relate to the author as he chronicles his thoughts and activities in preparation for THE DAY. He even posts the running cost of his CCIE expenses and

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-55894296654295268242007-09-21T17:49:00.000+08:002007-09-24T12:36:48.799+08:00

I've been very busy lately with projects at work and preparing for my CCIE lab. Well I'm back with sad news... I failed my first attempt at CCIE Lab Security.It's very frustrating since I worked very hard for it and used up a significant amount of my savings. But I guess that's life, win some, lose some.Here are lessons learnt. This are things I should have done:1. Really understand the

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-2234300412109490082007-04-19T11:51:00.000+08:002007-04-19T17:29:28.936+08:00

A smart guy using the handle mmm123 posted in the Dynamips forum how he created a pix emulator in his pc using QEMU. I tested it and works like a charm! Here's what you need to do.1. Download QEMU. For dependency, you might need to download SDL as well.2. Download the Pixemu binary. You need to register to the forum first.3. Get a copy of the PixOS. I used Pix version 7.2.2(10).4. I've read from

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-17049340797843323292007-04-10T16:07:00.000+08:002007-04-10T17:03:13.753+08:00

Here's a very insightful thread from Cisco's NetPro Conections Forum. Yusuf Bhaiji, Program Manager for the Cisco CCIE Security certification and lab proctor, takes time to answer questions about the lab exam. The answers to most questions are mostly already available in the Lab Blueprint. But the Q&A helps to clarify some questions a CCIE candidate might have. Here are some of Yusuf's responses

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-50083137279416743222007-03-08T13:22:00.000+08:002007-03-08T13:39:43.147+08:00

After weighing the user feedbacks and product marketing, I've decided to get the IPExpert workbook to help prepare me for my CCIE Security Lab.I ordered the workbook last Thursday and it arrived Monday. Not bad considering it came all the way from Tennessee and I'm here in Asia. Upon opening the FedEx package,I see this Spiral-binded book and I was like, " Is this all the US$499 (excluding

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-70636076951528460162007-02-28T12:25:00.000+08:002007-02-28T12:28:15.091+08:00

When your router has more than one vpn peer configured, troubleshooting one of the problematic crypto peer using debug crypto isakmp and debug crypto ipsec can get you crosseyed in no time. You'll feel like the console is doing a DOS on your brain.In Cisco IOS Software Release 12.3(2)T, you can use the debug crypto condition command to filter debug output to a specific peer. You can use many

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-62610126366892301942007-02-27T11:56:00.000+08:002007-02-27T22:35:25.305+08:00

For anyone who is aware how difficult it is to earn the numbers, you can't help but feel awe for people who have passed the CCIE exam many times over. I'm talking about the multiple CCIEs who are subject of cisco-geek hero worship.Quadruple CCIE!Rent-A-CCIE Superhero NetworkWorld.com Communityhttp://www.cisco.com/web/learning/le3/ccie/case_studies/morris_scott.htmlQuintiple CCIE!!http://

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-35507445729816303202007-02-22T11:01:00.000+08:002007-02-22T11:15:09.602+08:00

In addition to the recent release of version 6.0 of the IPS, looming ahead is the release of ASA software version 8.0. I've heard that the beta version of ASA 8.0 is already made available to select customers who signed up for the beta testing program.Here's news from Cisco that briefly mentioned ASAv8.0:http://newsroom.cisco.com/dlls/2007/prod_020507.htmlAnd a powerpoint presentation of the new

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-45399389682546209672007-02-15T11:48:00.000+08:002007-02-15T12:02:43.254+08:00

Heads up! Cisco announced flaws in their Cisco IOS IPS and Pix/ASA products.1. Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and ASA AppliancesEnhanced Inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic may cause a Pix/ASA to crash resulting in a denial of service.Inspection of malformed Session Initiation Protocol (SIP) packets may cause a Pix/ASA to crash

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-75693445918546035362007-02-14T15:46:00.000+08:002007-02-14T15:53:35.728+08:00

A series of two simple and trivial exploit for the Solaris has surfaced recently. One is an icmp induced DOS and the other is a remote exploit using telnet!Hearing about things like this makes me agree that we are losing the war on IT security. But then again, these attacks are not difficult to avoid. Haven't your mother taught you not to use telnet especially on internet facing systems?

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-70041451211778014812007-02-12T12:41:00.000+08:002007-02-15T12:04:41.445+08:00

An IT support was on the phone with his counterpart in Sydney office and was checking if the IPL is down." Dood! We're down here. Are you down there?"

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-4468653031249594632007-01-31T10:31:00.000+08:002007-01-31T11:07:24.347+08:00

I've just downloaded and setuped the Checkpoint SecurePlatform virtual appliance in my laptop. This is perfect for anyone trying to learn the Checkpoint firewall like me. This must be the equivalent of Dynamips in the Checkpoint world.Among the recent developments in the IT world, virtualization must be the coolest thing happening. VMWare is spearheading this revolution and their online library

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-78626803758370856372007-01-31T10:12:00.000+08:002007-01-31T16:51:22.541+08:00

If you're preparing for a CC*P exam or just want to learn about a certain feature, you'll surely find this short tutorials or what Cisco calls Quick Learning Modules (QLM) very useful. They are available on the following links.Security and VPN QLMsCisco IOS SoftwareCCNP Prep Center Exam Study Section (Login required)more modules are available from the Cisco Learning Connection Main Page

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-48461002007168131252007-01-30T14:47:00.000+08:002007-01-30T17:29:31.226+08:00

It pays to know how to read packet captures when troubleshooting network problems like latency problems. Like there was one time when we were investigating why a server response became slow after moving it behind a firewall. Finger pointing ensues until we decided to do sniff the traffic in the firewall to know whats happening. From the capture, we see the server sending reverse DNS lookup for

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-70061995580346085552007-01-29T12:59:00.000+08:002007-01-29T14:41:33.363+08:00

Cisco IOS have features available which enables you to create custom commands and scripts which will aid in managing IOS routers using the TCL scripting command.Tool Command LanguageWith embedded management tools, you can even monitor events or set thresholds that will trigger a script or CLI applet.Embedded Event Manager (EEM)Embedded Syslog Manager (ESM)Embedded Resource Manager (ERM)To

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-79518110950823793442007-01-28T11:44:00.000+08:002007-02-12T12:46:36.636+08:00

Overheard from the office.Phone rings.Help Desk: Sir, remote office in Manila reported a downtime.Manager: Let me check... I see.. the router rebooted, tell them it's a feature!Help desk follows obediently.

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-65710503117296513782007-01-26T10:52:00.000+08:002007-01-26T12:37:03.065+08:00

Here are a couple of free study resources available.On Feb. 1, Cisco’s CCNA TV will air IP Addressing, Subnetting, & Variable-Length Subnet Masks (VLSM), that will cover basic IP addressing, subnetting and VLSM concepts, and route summarization. You have to register first in the CCNA Prep Center to view the broadcast."IP Addressing, Subnetting, & Variable-Length Subnet Masks (VLSM)" on CCNA

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-8806560280882982932007-01-25T11:40:00.000+08:002007-01-25T12:41:07.573+08:00

Well, I got this from our company's trusty security advisory system but I'm sure it will be all over the Internet by now based on the seriousness of these security bulletins.Crafted TCP Packet can cause denial of service (cisco-sa-20070124-crafted-tcp)Crafted IP Option vulnerability (cisco-sa-20070124-crafted-ip-option)IPv6 Routing Header vulnerability (cisco-sa-20070124-IOS-IPv6)After going

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-77190159567130622132007-01-23T16:28:00.000+08:002007-01-28T23:09:43.450+08:00

I've been eyeing on being a CCIE for several years now and I've finally decided to take on this monster this year. It's no secret that CCIE is one of the toughest vendor certification exam and it's been the ultimate goal for all Cisco professionals. Besides being tough, it is also an expensive endeavor.I always hear that if you want to take the CCIE, your budget should be at least good for two

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-76151526500969924152007-01-22T15:22:00.000+08:002008-12-12T03:31:37.504+08:00

This is something I setup in my desktop lab (Dynamips) based on the REMOTELY TRIGGERED BLACK HOLE FILTERING—DESTINATION BASED AND SOURCE BASED white paper available from Cisco website. ConfigurationsTargetEdgeTriggerRR-BGPPE1PE2SmurfIn the diagram, the provider network is enclosed in the blue area. The Target router is the victim and Smurf is the attacker network. Let's say we're seeing massive

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-78504393519117404312007-01-11T17:23:00.000+08:002008-12-12T03:31:37.671+08:00

Here's something I setup in my desktop "lab" using DYNAMIPS. I created two DMVPN hubs also acting as a EZVPN server with Stateful Failover. Since both DMVPN and EZVPN configuration is using 0.0.0.0 address to map to the pre-shared key, a ISAKMP Profile is configured to differentiate the DMVPN spokes and the EZVPN clients.Previously, if your router talk to a combination of remote spokes and vpn

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-66965360952871985212007-01-10T13:08:00.000+08:002007-01-12T11:22:42.322+08:00

NetworkInternet----(outside)pix/asa(inside)----client (dmz) I I serverNow let's consider a pix/asa with three interfaces: inside, outside and dmz. Client PC in the inside network cannot access the server in the dmz eventhough we have the correct nat configuration in the firewall. We soon found out that the client PC

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-4166746699769091662007-01-10T11:21:00.000+08:002007-01-22T14:43:24.113+08:00

Topology I--ClientInternet----(Outside)ASA(Inside)----I I--ServerProblemAn internal host cannot reach the a public server in the DMZ arm of the pix/asa. The reason is because the public server's hostname is resolved by DNS to its public ip address and the pix/asa will not route a packet to the outside interface then u-turn it

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-4299057916523633552007-01-10T10:35:00.000+08:002007-01-17T00:50:27.746+08:00

It used to be that the only way to initiate vpn establishment is by passing traffic matching the crypto ACLs. What's usually done is you ping the remote network from a host behind the router. But there are cases where you don't have access to any of the computers on both sides of the tunnel.By using the test crypto initiate-session command, you can manually bring up the tunnel just by entering

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-58375298548365050712007-01-09T13:59:00.000+08:002007-01-11T17:28:02.175+08:00

Now let's look at an example where we have three zones: inside, outside and dmz. There are servers in the DMZ zone that needs to be accessible from the inside and outside network. We will restrict Outside to DMZ traffic only to ip 192.1.1.1 via http.! we define the zones! zone security Inside zone security Outside zone security DMZ!! we apply the zones to the interfaces!interface FastEthernet0/0

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-4986064022442543622007-01-08T17:55:00.000+08:002007-01-11T17:28:23.208+08:00

In the first installment of this document, I showed you a simple two-zone configuration where inside users have unrestricted access to the outside zone. If you need to limit the services that the inside users are allowed to access, we have to define the traffic classes that will later be used in the policy-map commands to define the desired firewall policy. The traffic classes are defined with

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-65933815001865526792007-01-08T14:29:00.000+08:002007-01-11T17:28:39.973+08:00

A new configuration enhancement has been introduced in IOS 12.4(6)T called Zone-based policy firewall. Rather than configuring multiple access-lists to filter traffic between multiple router interfaces, you follow the zone-based design and only have to specify the traffic permitted between zones. Zone-based policy firewall also adds more granularity to inspection policies comapared to CBAC. Here

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-67958949070874432842007-01-08T12:46:00.000+08:002007-01-10T14:30:15.861+08:00

Scenario: Users connect remotely via Cisco VPN client. They connect to your router. They need to access the Internet while logged-in but you don't want to configure split-tunnelling. You want the VPN client to access the internet thru the router and not by split-tunneling so that you can later enable url-filtering or use audit-trail to monitor their browsing activities.Config:username cisco

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-11363184769344212502007-01-07T00:28:00.001+08:002007-01-09T11:00:22.878+08:00

This new feature is very useful in troubleshooting or verifying your configuration. It is available in ASDM and CLI.Syntax:packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]It is a good complement to the capture command when troubleshooting. To use it, you just enter the source and destination ip and port address and the packet-tracer will provide

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-48949015394433776852007-01-06T18:34:00.000+08:002007-01-07T13:38:45.917+08:00

One of the first command that you usually learn on IOS is the useful command 'show ip interface brief'. This command will allow you to see the list of available interfaces on the router and their status.Do you know that the pix have an equivalent command? It's easy to miss it because those folks at PixOS Development have rearrange the words a bit. Well the command on the pix or ASA is 'show

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-37809991117318750592007-01-05T19:59:00.000+08:002007-01-07T13:44:11.446+08:00

Lately I have been learning how to configure the Checkpoint firewall because majority of the firewalls on the company I'm working for are Checkpoints. Like many of the firewalls available on the market it is GUI-based. What sets it apart though is that it is not html-based and use a client software called SmartDashboard instead to configure their firewall.I really find its interface pretty

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-58688330705990877412007-01-05T19:45:00.000+08:002007-01-07T14:03:33.641+08:00

My boss didn't know that on the Pix you can insert an access-list in between previous entries. He have always relied on the ASDM to do that.As showed to him, you can do it via CLI and this has always been possible on the pix since version 6.3.The first step is to do a show access-lists.PIX# show access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0tag:blogger.com,1999:blog-7267093883386523047.post-78305187367707451622007-01-05T19:30:00.000+08:002007-01-06T15:51:44.484+08:00

I work with Cisco boxes and when faced with a task of configuring something unfamiliar to me, there is usually 5 options:RTFMSearch Cisco website for a sample configurationSearch the Internet, hoping that a kind soul have posted a solution to what you are trying to achieveAsk the experts in mailing lists, study groups and forums.Ask my more senior colleagues.Most of the time, I'll find myself on

! Cocoyhttp://www.blogger.com/profile/04262972952560434225noreply@blogger.com0