CISCO CALL MANAGER BEST PRACTICES....
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00807f8b31.shtml
Friday, September 14, 2007
Using PPTP for Remote Access
This section describes how to implement the Point-to-Point Tunneling Protocol (PPTP) using the PIX Firewall. It contains the following topics:
Overview
The firewall provides support for Microsoft PPTP, which is an alternative to IPSec handling for VPN clients. While PPTP is less secure than IPSec, PPTP may be easier in some networks to implement and maintain.
The vpdn command implements the PPTP feature for inbound connections between the firewall and a Windows client. Point-to-Point Tunneling Protocol (PPTP) is a Layer 2 tunneling protocol, which lets a remote client use a public IP network to communicate securely with servers at a private corporate network. PPTP tunnels the IP protocol. RFC 2637 describes the PPTP protocol.
Support is provided for only inbound PPTP and only one firewall interface can have the vpdn command enabled.
Supported authentication protocols include: PAP, CHAP, and MS-CHAP using external AAA (RADIUS or TACACS+) servers or the firewall local username and password database. Through the PPP IPCP protocol negotiation, the firewall assigns a dynamic internal IP address to the PPTP client allocated from a locally defined IP address pool.
The firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported.
When you specify MPPE, use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol should be RADIUS and the external RADIUS server should be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the firewall in the RADIUS Authentication Accept packet. See RFC 2548, "Microsoft Vendor Specific RADIUS Attributes," for more information on the MSCHAP_MPPE_KEY attribute.
Cisco Secure ACS 2.5/2.6 and higher releases support the MS-CHAP/MPPE encryption.
The firewall PPTP VPN has been tested with the following Microsoft Windows products: Windows 95 with DUN1.3, Windows 98, Windows NT 4.0 with SP6, and Windows 2000.
Note 
PPTP Configuration
Use the vpdn command with the sysopt connection permit-pptp command to allow PPTP traffic to bypass checking of access-list command statements.
The show vpdn command lists tunnel and session information.
The clear vpdn command removes all vpdn commands from the configurations and stops all the active PPTP tunnels. The clear vpdn all command lets you remove all tunnels, and the clear vpdn id tunnel_id command lets you remove tunnels associated with tunnel_id. (You can view the tunnel_id with the show vpdn command.)
The clear vpdn group command removes all the vpdn group commands from the configuration. The clear vpdn username command removes all the vpdn username commands from the configuration. The clear vpdn command removes all vpdn commands from the configuration.
You can troubleshoot PPTP traffic with the debug ppp and debug vpdn commands.
PPTP Configuration Example
Example 8-3 shows a simple configuration, which lets a Windows PPTP client dial in without any authentication (not recommended). Refer to the vpdn command page in the Cisco PIX Firewall Command Reference for more examples and descriptions of the vpdn commands and the command syntax.
Example 8-3 PPTP Configuration Example
ip local pool my-addr-pool 10.1.1.1-10.1.1.254
vpdn group 1 accept dialin pptp
vpdn group 1 client configuration address local my-addr-pool
vpdn enable outside
static (inside, outside) 209.165.201.2 192.168.0.2 netmask 255.255.255.255
access-list acl_out permit tcp any host 209.165.201.2 eq telnet
access-group acl_out in interface outside
The ip local pool command specifies the IP addresses assigned to each VPN client as they log in to the network. The Windows client can Telnet to host 192.168.0.2 through the global IP address 209.165.201.2 in the static command statement. The access-list command statement permits Telnet access to the host.
Thursday, September 13, 2007
Importance Of Directed Broadcasts
Do we know what problem we will face if we enable ' ip directed-broadcast' in an Interface???
IP directed broadcasts are used in the common and popular smurf denial of service attack, and can also be used in related attacks.
An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, the one that is connected directly to the target subnet, can conclusively identify a directed broadcast. Directed broadcasts are occasionally used for legitimate purposes, but such use is not common outside the financial services industry.
In a smurf attack, the attacker sends ICMP echo requests from a falsified source address to a directed broadcast address. This causes all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies. This can completely inundate the host, whose address is falsified.
If a Cisco interface is configured with the no ip directed-broadcast command, directed broadcasts that are otherwise exploded into link-layer broadcasts at that interface are dropped instead. This means that the no ip directed-broadcast command must be configured on every interface of every router that is connected to a target subnet. It is not sufficient to configure only on firewall routers. The no ip directed-broadcast command is the default in Cisco IOS Software Release 12.0 and later. In earlier releases, the command should be applied to every LAN interface that is not known to forward legitimate directed broadcasts.
Wednesday, September 12, 2007
7940 and 7960 IP Phones Resetting to the Factory Default
------------------------------------------
-----------
PROCEDURE 1
-----------
steps:
1.Choose the main Date/Time window.
2.Press **# in order to unlock the Network Configuration on the phone.
3.Press Settings.
4.The Network Configuration lock symbol must be unlocked. If not, exit to the main window and press ** # again.
5.Press 3 on the keypad (or scroll down) for Network Configuration.
6.Press 33 on the keypad (or scroll down) to Erase Configuration.
7.Press the Yes softkey.
8.Press the Save softkey.
The phone must now be reset.
---------------------------------------------
-----------
PROCEDURE 2
-----------
STEPS :
In order to perform a factory reset of a phone if the password is set, complete these steps:
1.Unplug the power cable from the phone, and then plug in the cable again.
The phone begins its power up cycle.
2.Immediately press and hold # while the Headset, Mute, and Speaker buttons flash in sequence.
Release # after the Speaker button is no longer lit.
The Headset, Mute, and Speaker buttons flash in sequence in order to indicate that the phone waits
for you to enter the key sequence for the reset.
3.Press 123456789*0# within 60 seconds after the Headset, Mute, and Speaker buttons begin to flash.
If you repeat a key within the sequence, for example, if you press 1223456789*0#, the sequence is
still accepted and the phone resets.
If you do not complete this key sequence or do not press any keys, after 60 seconds,
the Headset, Mute, and Speaker buttons no longer flash, and the phone continues with its
normal startup process. The phone does not reset.
If you enter an invalid key sequence, the buttons no longer flash, and the phone continues
with its normal startup process. The phone does not reset.
If you enter this key sequence correctly, the phone displays this prompt:
Keep network cfg? 1 = yes 2 = no
4.In order to maintain the current network configuration settings for the phone when the phone resets,
press 1. In order to reset the network configuration settings when the phone resets, press 2.
If you press another key or do not respond to this prompt within 60 seconds,
the phone continues with its normal startup process and does not reset. Otherwise,
the phone goes through the factory reset process.
================================================
------------------------------------------
-----------
PROCEDURE 1
-----------
steps:
1.Choose the main Date/Time window.
2.Press **# in order to unlock the Network Configuration on the phone.
3.Press Settings.
4.The Network Configuration lock symbol must be unlocked. If not, exit to the main window and press ** # again.
5.Press 3 on the keypad (or scroll down) for Network Configuration.
6.Press 33 on the keypad (or scroll down) to Erase Configuration.
7.Press the Yes softkey.
8.Press the Save softkey.
The phone must now be reset.
---------------------------------------------
-----------
PROCEDURE 2
-----------
STEPS :
In order to perform a factory reset of a phone if the password is set, complete these steps:
1.Unplug the power cable from the phone, and then plug in the cable again.
The phone begins its power up cycle.
2.Immediately press and hold # while the Headset, Mute, and Speaker buttons flash in sequence.
Release # after the Speaker button is no longer lit.
The Headset, Mute, and Speaker buttons flash in sequence in order to indicate that the phone waits
for you to enter the key sequence for the reset.
3.Press 123456789*0# within 60 seconds after the Headset, Mute, and Speaker buttons begin to flash.
If you repeat a key within the sequence, for example, if you press 1223456789*0#, the sequence is
still accepted and the phone resets.
If you do not complete this key sequence or do not press any keys, after 60 seconds,
the Headset, Mute, and Speaker buttons no longer flash, and the phone continues with its
normal startup process. The phone does not reset.
If you enter an invalid key sequence, the buttons no longer flash, and the phone continues
with its normal startup process. The phone does not reset.
If you enter this key sequence correctly, the phone displays this prompt:
Keep network cfg? 1 = yes 2 = no
4.In order to maintain the current network configuration settings for the phone when the phone resets,
press 1. In order to reset the network configuration settings when the phone resets, press 2.
If you press another key or do not respond to this prompt within 60 seconds,
the phone continues with its normal startup process and does not reset. Otherwise,
the phone goes through the factory reset process.
================================================
Subscribe to:
Posts (Atom)
