Security & VPN

Configuration Examples:
• Configure ACS to Assign a Group Policy at Login Using RADIUS
• ASA 8.0: Allow Users to Select a Group at WebVPN Login
• Cisco Clean Access (NAC Appliance) Bandwidth Management
• ASA 8.0: Configure RADIUS Authentication for WebVPN Users
• ASA 8.0: Configure LDAP Authentication for WebVPN Users
• Zone-Based Policy Firewall Design and Application Guide
• PIX/ASA 7.x and Later: Block the Instant Messaging (IM) Traffic Using MPF
• Cisco IOS Classic Firewall and Intrusion Prevention System Denial-of-Service Protection
• ASA 8.0: How to Change the WebVPN Logo
• ASA 8.0: How to Change the WebVPN Title
• ASA 8.x Import RDP Plug-in for Use with WebVPN
• Secure Access Control Server (ACS) Database Migration
• PIX/ASA 7.x and Later: VPN Filter Configuration Example for L2L and Remote Access
• Cisco ASA 8.x Import VNC Plug-in for Use with WebVPN
• PIX/ASA 7.x and Later: Site-to-Site (L2L) IPSec VPN with Policy NAT
Cisco TAC Case Collection Solution:
• How to Upgrade the Software Image on the Adaptive Security Appliance 5500 Series to 7.x in a Failover Pair

Voice and Unified Communications

Configuration Examples:
• IOS Voice XML Gateway to CVP Call Flow Using MRCPv2 ASR/TTS
• IOS PSTN Ingress Gateway to CVP (Call Queue and Collect) Call Flow
Tech Notes:
• DBWorker Process Unable to Login to the Microsoft SQL Server 2005 Database
• Outbound Option: Determine if a Number Appears in the Do-Not-Call List
• CrashDumpEnabled Value Is Set to Zero during ICM Setup
• Unity Express Voice Mail Transfer Behavior
• Cisco Unified Communications Manager Operating System Upgrade Fails due to "Potential Critical Error Encountered Running cpSATARAID2.exe /s /f" Error
• CAR Login Fails with "[LDAP Access Error. Contact System Administrator.]"
• CallManager 5.x: Roles and Permissions
• Cisco Unified Communications Manager 4.2(3) Installation Interrupts at SQL 2000 SP4
• Troubleshooting SIP Trunks with Cisco CallManager 5.x
• Cisco Unity 4.0 to 4.2 Upgrade Fails
Cisco TAC Case Collection Solution:
• How to Configure Fax Pass-through over IP Using a Cisco VG224 Voice Gateway Running MGCP

Wireless

Configuration Examples:
• Lightweight Access Point (LAP) Authorization in a Cisco Unified Wireless Network
• Dynamic VLAN Assignment with WLCs Based on ACS to Active Directory Group Mapping
Tech Note:
• Wireless Control System (WCS) - Usage of "Dbadmin" Commands
Cisco TAC Case Collection Solution:
• Image Corrupts when the Configuration Clears with the Use of Option 5 at the Boot Menu on a WLC 2006 That Runs Version 3.2.150.10

Daylight Savings Time (DST) 2007

• New Documents for Interfaces and Modules, LAN Switching, Network Management, Security and VPN, Service Exchange, TelePresence, Video, Voice and Unified Communications, and Wireless Technologies

Application Networking Services

• WAAS Version 4.0.13 Code Removed from CCO due to Disk Driver Issues

Content Networking

• CDE400 and CDE200 SATA Drives May Drop Out of Service - Firmware Upgrade Required

Optical

• CSCO-PWR-RECT Module May Fail due to Component Issue - Upgrade Program Available
• ONS-XC-10G-S1= - Wrong ECI Bar Code on Excelight XFP

Routers

• 3640 and 3640A - Some 12.4 IOS Images Exceed the 32MB Flash Capacity
Cisco TAC Case Collection Solution:
• Router Reports the "device does not contain a valid magic number" Error Message and Fails to Load the Cisco IOS Software Image

Voice and Unified Communications

• Cisco Computer Telephony Integration Object Server (CTIOS) Goes Out of Sync Under Heavy Load
• MGX PS-1200-AC - Undetected Fan Failure in Redundant Slot Power Supply Will Cause Crash on Failover - Upgrade Program Available
• Cisco Security Agent 3.0.X for Cisco Unified CallManager May Cause Cisco Unified CallManager/Communications Manager or MCS Server OS Upgrades to Fail
• CP-7906G and CP-7911G Upgrade Failures with Firmware Version 8.2(2) and Earlier Releases
• Cisco Enterprise and Hosted Contact Center Products Notice for Microsoft September 2007 Security Updates
• Cisco Unified CallManager Version 4.1.3sr5c Fails to Upgrade IP Phones: CP-7940G/CP-7960G

Security & VPN

Configuration Examples:
• Secure ACS Database Replication
• Secure Access Control Server (ACS) Database Migration

Voice and Unified Communications

Tech Notes:
• Fixing Issues with Corporate Directory Lookup from the Cisco IP Phone
• Siemens QSIG Interoperability: Calling Name and Call Forward Do Not Work
• Troubleshooting Cisco IP Phone Registration Problems with Cisco CallManager 3.x and 4.x
• Unity System Administrator (SA) Web Troubleshooting Guide

Wireless

Configuration Examples:
• Wireless LAN Connectivity Using an ISR with WEP Encryption and LEAP Authentication

Cisco Product Quick Reference Guide Summer/Fall 2007 Edition Discount

Cisco products, services, and solutions can help your company realize greater returns on technology investments. The Cisco Product Quick Reference Guide (QRG) helps you understand the various Cisco product features and benefits in a portable, easy-to-use format. This handy, compact reference tool was recently updated and is now available to purchase.

The Cisco Product QRG includes the following information for many Cisco products:

• Brief product overviews
• Key features
• Sample part numbers
• Abbreviated technical specifications

Receive 10 percent off your entire order (excludes shipping) now through November 15, 2007, when you enter code "SF_2007_TS" at checkout.

Note: Cisco employees should use code "SF_2007_TS_E" for discount.

Order your Cisco Product Quick Reference Guide today.

New Reader Tip: Troubleshooting Access Problems Using Packet-Tracer

Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult.

Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information.

Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch), and the ability to navigate quickly to a failed policy.

Here is the CLI syntax:

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.

asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.1.1 23"

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside access-list inside extended permit ip any 10.4.1.0 255.255.255.0
Additional Information:

asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.2.1 5282"

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group inside in interface inside access-list inside extended deny tcp any host 10.4.2.1 eq 5282
Additional Information:

Evaluations of other elements of the config are similarly specific. Here is an example with nat-control enabled but without proper address translation defined:

asaTestlab# "packet-tracer input DMZ tcp 10.2.1.1 1024 10.4.2.1 http"

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (DMZ) 0 access-list NoNAT
nat-control
match ip DMZ any outside any
no translation group, implicit deny
policy_hits = 1
Additional Information:

- Kevin Miller, Herman Miller, Inc., Zeeland, Michigan , USA

Editor's Note: Packet-tracer does more than just inject a 'virtual' packet into the data-plane. One can also add the 'trace' option to the capture command, so that actual packets the security appliance receives (which are matched by the capture) are also traced.

Example:

ASA# "capture mycap access-list 199 interface outside trace"

To view the packet-trace from captured packet #3 in the capture, use the command:

ASA# "show capture mycap trace packet-number 3"

To learn more about Reader Tip submission and guidelines, visit the Reader Tip submission page. If your Tip is selected for publication, you will receive a complimentary Cisco polo t-shirt from the Cisco Technical Services Newsletter staff.

Note: All tips published in the Cisco Technical Services Newsletter are reviewed by Cisco technical support engineers; however, the Cisco Technical Services Newsletter and Cisco cannot guarantee the accuracy or completeness of these tips.

Cisco and the IET Advance Professional Development of Certified Community

Cisco Certified IT professionals can now take advantage of an outstanding career development opportunity: Fast-track entry to membership in the Institution of Engineering and Technology (IET). With more than 150,000 members in 128 countries, the IET is one of the world's leading professional societies for the engineering and technology community. Holders of active Cisco Associate, Professional, Expert, and Specialist certifications worldwide will be eligible for the IET fast-track membership program.

Find out more about IET membership or how you can join now.

Cisco Updates Advanced Wireless LAN Specialization

Cisco recently updated its wireless LAN specialization exams and courses to reflect important changes and advances in the management and use of wireless networks.

Advanced Wireless LAN for System Engineers (AWLANSE 642-586) and Advanced Wireless LAN for Field Engineers (AWLANFE 642-587) currently test knowledge of wireless LANs, including RF and antenna theory, 802.11a/b/g standards, and the ability to design and support a Cisco Unified Wireless Network. The new versions will also cover the ability to configure and verify voice transmission over a wireless network, configuration of Cisco Services Secure Clients, increased emphasis on outdoor mesh, new site survey tools, and updates to the wireless controller code. Exams are available at all worldwide Pearson VUE testing centers as of August 15, 2007.

These changes are also reflected in the curriculum:

• Cisco Wireless LAN Fundamentals (CWLF) v2.0 will include about 10 percent new material
• Cisco Wireless LAN Advanced Topics (CWLAT) v2.0 will include about 50 percent new material

The CWLF and CWLAT courses cover all topics included on the revised exams and are recommended for those pursuing technical specialization in wireless.

Find out more about Cisco's revised Wireless LAN certifications.

TechWiseTV: "Stopping E-Mail Threats"

Spam and other e-mail scams are costing American business $10 billion annually in lost productivity, wasted IT resources, and help desk costs. And, despite predictions from industry " experts " a few years ago, the crisis is getting worse.

Now, learn why this problem is so hard to solve and view the latest solutions that can help you regain control. This must-see 45-minute video broadcast will show you:

• How spammers work and why they are so difficult to stop
• The latest e-mail scams – such as image spam and botnets -- and the dangers they pose
• The limitations and pitfalls of traditional antispam solutions such as black and white lists
• A comprehensive overview of the two-layer approach developed by IronPort and how it effectively filters out more than 95 percent of all spam and other e-mail threats
• How organizations of any size can easily implement the solution on a local or global basis

Learn more and register to view video.

New Cisco Product Documentation Available Online

"What's New in Cisco Product Documentation" is an online publication that provides information about the latest documentation releases for Cisco products. Updated monthly, this online publication is organized by product category to direct you quickly to the documentation for your products.

In addition to many new and revised documents, highlights of the October release include documentation for the following:

• Cisco IOS Release 12.2 SX Command References
• Cisco IOS IPv6 Configuration Library

View the latest release of "What's New in Cisco Product Documentation" today.

Upcoming "Ask the Expert" Events and TechTalks from Networking Professionals Connection

Networking Professionals Connection is an interactive Website where you can discuss Cisco networking products and technologies with Cisco experts and networking professionals around the world.

Upcoming events on Networking Professionals Connection include:

• "Ask the Expert" events, which allow you to discuss specific networking issues online with Cisco engineers:
  • "CCIE Routing & Switching," now through October 19
  • "IOS Security Technologies," now through October 19
  • "NAC in Branch Office," October 22 through November 2
  • "Incident Management," October 22 through November 2
    Note: "Ask the Expert" events are subject to rescheduling. Please refer to the URL above for the most current schedule.
• TechTalks are online Webcasts that focus on particular technology subjects. You can view the latest event schedule, register to attend a live session, and view archived presentations on the Web any time.

To attend an event or participate in a discussion forum, visit Networking Professionals Connection.

Forget Your User ID or Password?

Your user ID is usually your first initial followed by your last name; for example, John Doe's user ID might be "jdoe." If you cannot remember your password, send a blank e-mail message. An automatic check will verify that your e-mail address is registered with Cisco.com. Account details with a new random password will be sent in an e-mail to you.

Contact Us:

E-mail us your questions and comments.

Important Notices:

© 1992-2007 Cisco Systems, Inc. All rights reserved.

Terms and Conditions, Privacy Statement, Cookie Policy, and Trademarks of Cisco Systems, Inc.