Backing up a Cisco Certificate Authority

If you’re deploying something such as DMVPN using a PKI, you may well be running a Certificate Authority on an IOS device. The files that make up the CA are stored in NVRAM. The Cisco design guide talks about backup and restore but there’s no automated way to copy the files off of the device. I created a TCL script that can be run via a kron schedule that will

Python. Not as bad as I thought.

My go to languages are Perl, PHP or good old bash. Everyone else seems to be using Python and up until now I had managed to steer clear of it. Mostly because I thought I didn’t need it but also because compared to languages that I’m familiar with, it looked odd. Just the structure of Python, having to use indentation, put me off. But today I wrote my first Python

Perl Module for Cisco Firepower Management Center API

I may have reinvented the wheel with this but I’ve started to write a Perl module for interacting with the Cisco FMC API using Perl. I say I may have reinvented the wheel because I didn’t check to see if someone else had already done this. I’ve published my module on GitHub. At the time of writing this, the module is at version 0.01. And as per the README right now

Simple Next Generation Firewall Manipulation Leading to Data Exfiltration

I was asked to take over a project involving implementing some Next Generation Firewalls. In this particular case it was Cisco Firepower Threat Defense. I was told that these NGFWs are all singing, all dancing and given the cost of them you’d expect that and more. I was told they understand more than just Layer 3 meaning we can do things like write rules based on FQDN, allow traffic based

Cisco Two Armed VPN Concentrator and Default Route

Take the following scenario: You have a hub site. Branch (spoke) sites connect to the hub with a L2L IPsec tunnel. All traffic must traverse the tunnel (no local breakout to the Internet). At the hub, your VPN concentrator is separate from your firewall and runs in two armed mode. Where one interface is outside the firewall (public) to terminate the incoming tunnels and another interface is within a DMZ. As such

DHCP Option 43 Generator for Cisco Lightweight APs

I got lazy after having to create a load of DHCP scopes for Cisco Lightweight Access Points, each requiring Option 43 in TLV format. And now you can be lazy too. Save the following as a HTML file and open in your favorite browser. In the text area enter your WLC IP addresses one per line and hit submit. This will generate the hex string to use in DHCP Option 43.

Cisco VSS, Domain ID and Virtual MAC Addresses

The other weekend I connected a L2 circuit between two sites. At both ends were Cisco 6500 Catalyst switches running VSS. The interfaces they connected to were configured as L3 and EIGRP was run between the two sites to share routes. But as soon as they were connected the neighbors started flapping. Troubleshooting started and as always you start at the lowest OSI layer and work up. Bingo! The issue

Show Me The Config!

Back in the days before stacks and VSS, doing a “show run” to look at something was easy. You pressed space a few times to page through the output and found the section you were interested in. Now when you’ve got a stack of several switches or switch running VSS with hundreds of interfaces you’ll be pressing space forever and a day paging through the config. In IOS you can pipe output to a selection of

Cisco Crypto ACLs – Do They Really Need to Match?

When starting out with IPsec tunnels it seems to be a common misconception that the crypto ACL, sometimes referred to as the encryption domain or the interesting traffic, must match 100% or be mirrored at both peers or the tunnel won’t come up. This isn’t strictly true. Whilst the ISAKMP phase 1 and IPsec phase 2 proposals must match, the crypto ACL can be different. Assume that at the local

Auditing Cisco ASA Firewall Rules

Today I was auditing a firewall rule set on a Cisco ASA firewall. The firewall has around 399 ACLs (Access Control Lists) comprising of 7272 ACEs (Access Control Entries). Quite a task! Unfortunately I didn’t have any tools to hand such as Cisco Security Manager or something like FirePac to audit the rules and give me some suggestions. Stage 1 was to visually look at the ACLs and spot the obvious