ASA 8.4 – first look
Just under a year since the last major ASA version, Cisco released a new version: 8.4(x)
While this version came earlier than I would expect, there are some exciting new features, some of them definitely worth upgrading for. I have no intention telling the full story (or chewing the release notes for you ;)) but I do want to go over some of the features and the new commands they bring to the world:
EtherChannel support – up to 48 802.3ad EtherChannels of eight active interfaces each
new commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.
Show Top CPU Processes – You can now monitor the processes that run on the CPU to obtain information related to the percentage of the CPU used by any given process.
new command: show process cpu-usage sorted
TCP Ping Enhancement – you can specify a source IP address and a port and source interface to send pings to a hostname or an IPv4 address
new command: command: ping tcp
Stateful Failover with Dynamic Routing Protocols – Routes that are learned through dynamic routing protocols (such as OSPF and EIGRP) on the active unit are now maintained in a Routing Information Base (RIB) table on the standby unit.
modified command: show failover, show route, show route failover.
Host Scan Package Support – support for the ASA to install or upgrade a Host Scan package and enable or disable Host Scan
new command: csd hostscan image path
These are only few changes that I find exciting and they show Cisco’s commitment to this product. If you’re running ASA (or even an old PIX) in your environment I highly recommend spending the time and reading the release notes. even if you’re not going to upgrade any time soon, it is always good to know what are the available options – you never know when you’ll need it.
If you already upgrade your ASA to 8.4 or even better – upgraded and used one of the new features, we want to hear about it!
How to recover a VPN key
While troubleshooting a VPN connection I wanted to confirm that the pre-shared key is identical on both ends. In order to do so I used a cool, relatively unknown command that allow you to recover the pre-shared key:
more system:running-config
Using the more system:running-config command result in clear text pre-shared key:
tunnel-group tunnel_name ipsec-attributes
pre-shared-key cleartextpassword
While this is the easiest way, you might encounter a device with an old version (pre 7.x) that does not support this command. Don’t worry, there are more opitons. using TFTP you can copy the config to your TFTP server which saves the password in clear text. This is the required command:
copy running-config tftp:
You can also use the less known write net command for the same task. In both cases, the text file containing the configuration on the TFTP server will show the pre-shared key in clear text.
By the way, older ASDM versions will show the passwords in clear text but I hope you’re not using those old versions 🙂
PIX\ASA as DHCP server
After a long while I had a chance to work with our firewall. Part of the task was setting up our old PIX as DHCP server.
The configuration is simple:
dhcpd address 172.16.1.100-172.16.1.200 inside dhcpd dns 172.16.1.1 dhcpd wins 172.16.1.2
You can see that the configuration is really simple but I found on interesting detail I wasn’t aware of: You can only use 256 addresses
Well, to be exact it is 253 addresses and it is a software limitation:
The size of the address pool is limited to 256 addresses per pool on the security appliance. This cannot be changed and is a software limitation. The total can only be 256.
One note – this limitation is per interface so if you have more than one inside interface you can use 253 addresses per interface.
2010 in review – Thanks you all
This an email I just received from WordPress:
The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:
The Blog-Health-o-Meter™ reads Wow.
Crunchy numbers
About 3 million people visit the Taj Mahal every year. This blog was viewed about 54,000 times in 2010. If it were the Taj Mahal, it would take about 7 days for that many people to see it.
In 2010, there were 129 new posts, growing the total archive of this blog to 131 posts. There were 128 pictures uploaded, taking up a total of 11mb. That’s about 2 pictures per week.
The busiest day of the year was January 26th with 660 views. The most popular post that day was New CCNP – Official Announcement.
Where did they come from?
The top referring sites in 2010 were linkedin.com, social.technet.microsoft.com, routemyworld.com, en.wordpress.com, and Google Reader.
Some visitors came searching, mostly for new ccnp track 2010, ospf bgp lab, netdom.exe, new ccnp, and eigrp variance.
Attractions in 2010
These are the posts and pages that got the most views in 2010.
New CCNP – Official Announcement January 2010
6 comments
Cisco VPN Client for Win7 64-bit (beta) March 2010
1 comment
New CCNP track – Countdown started January 2010
19 comments
Labs February 2010
BSCI – BGP Lab February 2010
OSI Model – free iPhone app
If you’re learning for your CCNA or want to refresh your memory AND have an iPhone\iPad\iTouch check out this OSI model app – NOW FREE
Description
The most engaging OSI Model Video e-learning combining multiple modalities to help you understand the theory behind the OSI Model.Over 31000 people have viewed these video’s with a rating of 4.7.
The App is broken up into 3 videos:
1. Introduction to the OSI Model
2. Layer 1-3 of the OSI Model
3. Layer 4-7 of the OSI Model.The video’s were created in a high quality production mode, not boring powerpoints or wipe boards. These videos were created by a Cisco Learning Solutions Partner – Tech 2000 and can be used to help you fulfill your CCENT or CCNA knowledge requirements. The commentator is a Cisco Certified Instructor.
IT Dualism 