For most network engineers, one of the most difficult and tricky features to configure on Cisco equipment is to properly setup a VPN communication network. I have realized that from the numerous emails and questions I get almost every day from readers of my blog and in my workplace as well.

Cisco is one of the leaders in VPN technologies. This is good for enterprises and companies which can use the flexible Cisco VPN features to meet their business goals (such as low cost in connectivity and communication between branches, flexibility in communication, security etc).

On the other hand, VPN is a pain for network administrators who are required to know how to configure and design several different VPN technologies supported by Cisco, such as Site-to-Site IPSEC VPN, remote access IPSEC VPN using vpn client software, Easy VPN, GRE VPN Tunnels, GRE over IPSEC, DMVPN (Dynamic Multipoint VPN), Virtual Tunnels configuration etc etc. In addition to the above VPN technologies, a network administrator is also required to know how to configure them on different networking platforms, such as Firewalls (ASA, PIX) and IOS Routers.

Recently I have stumbled upon a really useful software tool which will be of great value for Cisco network engineers. The VPN Config Generator tool from configureterminal.com. As the website states, with VPN Config Generator you can “Create Complicated VPNs in seconds at the click of a button!“.

As you can see from the pictures above, you first select the platform that you want to configure VPN on (i.e Router or ASA/PIX Firewall), and then select the type of VPN that you want to configure. The tool supports almost all Cisco VPN technologies and also supports configurations between different platforms (e.g ASA to ASA, ASA to Router etc). After you specify the required parameters, the tool will generate a working configuration (in text format) which you can just copy and paste onto the Router or Firewall (ASA/PIX) via the command line terminal and you will be up and running. So basically you are working offline first and then upload the generated config onto the live device.

I highly recommend this tool as it will save you from a lot of hassle and problems. Check it out from the official website HERE.

I have recently upgraded a few Intrusion Prevention System (IPS) modules which are embedded in ASA firewalls. The IPS models are AIP-SSM-20 which were upgraded from version 5.1 to 6.0

The AIP-SSM module can be accessed either through the ASA CLI (using “session 1” ) command, or via its dedicated management interface using SSH. I have already assigned an IP address to the IPS management interface, so I did all the upgrade via the management interface. You need also an FTP server to host the upgrade image files.

Lets see how to upgrade the AIP-SSM IPS module below:

FTP server address: 172.20.1.8
Upgrade file used: IPS-K9-6.0-1-E1.pkg (major upgrade from 5.1 to 6.0)
Signature upgrade file: IPS-sig-S338-req-E1.pkg

Note about signature files: the keyword “req-E1” in the signature filename means that it requires an E1 signature engine software installed.

After you log in to the sensor, use the “show ver” command to verify your current image version:

IPS# sh ver
Application Partition:

Cisco Intrusion Prevention System, Version 5.1(5)E1

Then upgrade using the “upgrade” command:

IPS# conf t

IPS(config)# upgrade ftp://test@172.20.1.8/IPS-K9-6.0-1-E1.pkg
Password: **********
Warning: Executing this command will apply a software update to the application partition. The system may be rebooted to complete the upgrade.
Continue with upgrade? []: yes

Broadcast Message from root@IPS
(somewhere) at 15:26 …

Applying update IPS-K9-6.0-1-E1.pkg. IPS applications will be stopped and system will be rebooted after upgrade completes .

Broadcast Message from root@IPS
(somewhere) at 15:26 …

Shutting down IPS applications. Applications will be restarted when update is complete..

IPS(config)#
***
***
*** Termination request from cids
***
Sensor is shutting down.This CLI session will be terminated

The sensor reboots by itself. Wait a few minutes and then log in again.

IPS# sh ver
Application Partition:

Cisco Intrusion Prevention System, Version 6.0(1)E1

As you can see the image is upgraded successfully. Now we need to upgrade the signature file as well.

IPS# conf t
IPS(config)# upgrade ftp://test@172.20.1.8/IPS-sig-S338-req-E1.pkg
Password: **********
Warning: Executing this command will apply a signature update to the application partition.
Continue with upgrade? []: yes

Broadcast Message from root@IPS
(somewhere) at 16:40 …

Applying update IPS-sig-S338-req-E1

Broadcast Message from root@IPS
(somewhere) at 16:42 …

Update complete

IPS(config)#