« January 2008 | Main | March 2008 »
February 22, 2008
CiscoBlog...Useful?
Wow - I feel honored! Network World magazine has listed CiscoBlog as one of the top 20 websites for Cisco techs. Check out the list from the link below - there's plenty of other useful stuff out there:
http://www.networkworld.com/community/node/25115
***Warning: following the links contained in this post may have you up past midnight on a Friday night playing with free Cisco management platforms that seem entirely too cool but just end up wasting time.***
Posted by JC at 2:23 PM | Comments (9) | TrackBack
February 21, 2008
Static NAT Inaccessible Through VPN Connections
Alright, I've run into this problem three times now and each time I keep having to rediscover the solution, so I thought I'd write the solution here for myself and whomever it may help. Here's the problem:
Creating site-to-site VPN connections as a WAN link replacement is becoming quite common. The problem I continually encounter is the servers behind the router that have Static NAT entries allowing them to be accessible from the outside world become inaccessible through the VPN (using a private address). VPN users can still access the servers by using the Internet connection. This problem occurs simply because of the order in which the Cisco router handles NAT rules.
Take this example. A user from SiteA accesses ServerB at SiteB using its private address on TCP port 80 (HTTP):
UserA ---> Site-to-Site VPN ---> ServerB
The request reaches ServerB who attempts to transmit back to UserA. The router at SiteB has a Static NAT mapping allowing ServerB to be accessible from the Internet. This Static NAT mapping is processed before the site-to-site VPN rule:
ServerB Response ----> Static NAT mapping ---> Reply sent to Internet abyss
The result is the HTTP connection from SiteA times out. So, here's how to fix it:
RouterB(config)#route-map NO_NAT
RouterB(config-route-map)#match ip address 100
RouterB(config-route-map)#exit
RouterB(config)#access-list 100 deny ip host 192.168.15.100 192.168.10.0 0.0.0.255
RouterB(config)#access-list 100 permit ip 192.168.15.0 0.0.0.255 any
RouterB(config)#ip nat inside source static tcp 192.168.15.100 80 81.14.214.29 80 route-map NO_NAT
The above configuration essentially denies the server from going through the Static NAT entry when speaking to hosts across the VPN, but permits it to pass through Static NAT for everything else.
Here's the original Cisco reference:
http://www.cisco.com/warp/public/707/static.html#topic2
Posted by JC at 11:34 AM | Comments (7) | TrackBack
February 20, 2008
Cool Utility of the Week: ZipTie
Many of you know about Kiwi Software. They are one of my favorite vendors who makes very reasonably priced utilities to manage many aspects of your Cisco network. For years, I've been using their Kiwi CatTools product for configuration management & bulk changes...
...but now the open source community is creeping in: Welcome ZipTie! ZipTie is a project that essentially competes with Kiwi CatTools in a Freeware/Open Source version. Now, I've already purchased Kiwi CatTools and love it...so what makes me excited about ZipTie? The Future!!! If you take a look at the roadmap, they've got more and more features planned to integrate
Not to mention that Open Source projects typically move faster than corporate environments since just about anyone can write plug-ins for the system. As a matter of fact, ZipTie already has a "partner site" (www.zipforge.org) dedicated to add-ons and plug-ins for different features and equipment. ZipTie currently has a quarterly release schedule, so I'm very excited to see how things progress this year.
Product Site: www.ziptie.org
Posted by JC at 10:00 AM | Comments (2) | TrackBack
February 8, 2008
Goodbye SecureCRT - Hello Putty!!!
First off, let me say thank you to all who responded to the previous post on my qualms spending $99 for SecureCRT. An extra thank you to whomever suggested Putty CM!
This utility is so cool, I thought I'd create an extra post about it for those who missed the last thread. Now, without a doubt, SecureCRT takes the cake for the number of features, smoothness, and so on...but if you're just looking for these basic features, you gotta check this program out:
- Saved connections / passwords
- Tabbed windows / session management
- Scripted logins
Here's a screencap of what I've got so far:
**Note...the black squares are mine to protect the innocent :o)
Now here's the scoop: The Putty Connection Manager essentially puts a "shell" around the actual Putty program.
The shell is what adds all the SecureCRT-like functionality to the Putty program itself. I'm not saying this program is perfect...there's already a couple glitches that bug me, but for the most part...it does everything I need it to do for...(drum roll please) FREEEEEEE!!
So here's the links to get you started:
Putty Connection Manager
Putty itself
Posted by JC at 8:17 AM | Comments (18) | TrackBack
February 6, 2008
SecureCRT...Why Is This So Hard?!?
I've got 8 days remaining on my trial license...In the other tab of this browser is the order page for SecureCRT 6.0. My cheapskate nature just won't let me click the Submit button! Am I really about to pay $99.00 for a client that gives Windows the ability to do something my Apple system does natively? Are they really charging $99 for an SSH client? Am I really about to spend this?
...but it saves my sessions! And those tabbed windows...SO NICE! Auto-reconnect functionality? Sweet!
$49.00...no problem - totally worth it. $69...maybe...but $99? That's a month of In/Out Burger visits! Is SecureCRT really worth a month of In/Out Burger?
...but it remembers all the passwords for my routers too...
AAARGH! Someone tell me I'm not going insane. Seriously - I'd rather be buying a new car than trying to force myself to hit the Submit button on the SecureCRT order page. Isn't there some SecureCR-FREEware product someone has created for Windows? Why can't Apple just take over the world and be done with it? Ugh.
Posted by JC at 8:35 AM | Comments (28) | TrackBack