Workaround: BUG in ASA IOS 8.4(4) and 8.4(5) adding network-object-nat

When upgrading from prior IOS 8.4 to 8.4(4) and 8.4(5), the configuration will be converted for the new IOS without any problems. But when you’re creating a new Network Object NAT rule, you’ll get a nasty error:

ERROR: NAT Policy is not downloaded

There’s no solution for this error at this point (january 2013), Cisco TAC mentioned me that the development team is still working on this issue but it’s hard for them to reproduce this error in their lab.

But.. there is a workaround available!

(more…)

Cisco ASA back-up internet connection with site to site VPN

Some time ago a customer wanted an back-up solution on one of their offices for internet and VPN connection towards the datacentre. On both location they use Cisco ASA 5505 firewalls.

Configuration needed on the Office Firewall

(more…)

SSL certificates Apache / OpenSSL

A customer ordered a few webSSL certificates from a public certificate authority (in this case, Thawte). In one specific Windows server Apache with openSSL is used. It took me some time to figure out the complete proces for requesting and completing the certificate. This blog post is about the complete certificate proces: creating the certificate request till export of the certificate chain to a pfx file.

The first part is about requesting the certificate:

(more…)

Cisco Nexus 7000 OTV configuration

Another post, this time about the basic OTV configuration on a Nexus 7000.
The OTV configuration has the be made on a different switch (or VDC) where no SVI’s are configured for the VLAN’s you want to extend to the other site.
First of all some terminology:
  • Edge device: This device performs layer 2 activities (to the internal network) and OTV transportation to the other site(s).
  • Transport network: This is the network (can be layer 3) that connects all the sites. This is your WAN connection, possible managed by your service provider.
  • Join interface: This is the uplink interface on the edge device that is connected to the transport network.
  • Internal interface: This is the interface on the edge device that is connected to the internal network.
  • Overlay interface: This is a logical interface, with support for multi access, multicast. This interface encapsulates layer 2 frames in IP headers (also ‘MAC routing’)
  • Overlay network: A logical network that connects all sites together and uses MAC routing for interconnecting the sites.
  • Site: Your (layer 2) network on a location. In most cases, this is one of your datacenters.

Nexus 2248TP FEX connected to a Nexus 7000: part 1 basic connection

Cisco published a configuration guide for connecting a Nexus 2248TP FEX to a Nexus 7000. I’ll explain the configuration process to configure the FEX for basic connectivity.

A FEX is a Nexus 2000 series switch. In a very high level explanation, this switch is a switchport module in a separate 1U chassis, which is configured and controlled from a Nexus 5000/7000. There is 1 drawback: the switchports on the FEX can only be used for host ports. It’s not possible to connect other switches to a FEX port because of the fact that BPDUguard is enabled by default. It’s not possible to disable BPDUguard. Switchports on the FEX can be used for layer 2 and layer 3 connections. For more information about the FEX itself I’ll refer to this link

All configuration is done on the Nexus 7000 with NX-OS 6.0(1). In this scenario, the 2248TP FEX is connected to switchport ethernet 1/1  (10GE port) of the Nexus 7000 with a twinax cable.

First, let’s configure a switchport for the FEX:
switch(config)# int ethernet 1/1
switch(config-if)# switchport mode fex-fabric
Error: feature-set fex is not enabled
Okay, we have to install (!) and enable the fex feature before we can continue
switch(config)# install feature-set fex
switch(config)# feature-set fex
And try again to configure the fex-fabric mode:
(more…)