Both iPhone software versions 2.x and 3.x support three types of remote access VPN connectivity: L2TP, PPTP and IPSec (see picture below). The IPSec option is actually a Cisco VPN client software for communicating securely with Cisco Adaptive Security Appliance (ASA 5500 Series Firewalls).

Cisco states that only ASA and PIX firewalls support the iPhone Remote Access VPN. Cisco IOS routers with IPSec capability and the older VPN3000 Concentrators DO NOT support the iPhone VPN feature.

This feature enables teleworkers to connect remotely to their Enterprise central network via secure VPN tunnel using their Apple iPhone. The VPN can use both Wi-Fi and Cellular Mobile Data networks for setting up the tunnel. The authentication methods supported for establishing the secure remote VPN tunnel are:

• Password
• RSA SecurID
• CRYPTOCard
• Certificate

Regarding the configuration on Cisco ASA appliance, this is exactly the same configuration as a normal Cisco IPSec VPN client software. You need to configure an IP Pool for the iPhone to receive IP address from. This pool range will then have access to the internal network behind the ASA.

By default, when you access a Cisco router for management purposes (using Console, Telnet or SSH) there is no username/password authentication required. You only need to supply the “privileged EXEC” password (i.e the “enable” password) in order to gain access to the full configuration mode of the router. Employing an additional level of authentication (i.e requiring the user to supply an additional username/password credential in addition to the “enable” password) will make the router device more resistant to unauthorized access. Moreover, configuring local usernames on the device gives you the flexibility to add granularity regarding the levels of management privileges for different users. For example, you can configure a username on the router with full privileges (privilege level 15) who can configure anything on the router, or you can configure a username with unprivileged access (privilege level 1) who can only see a few things on the router and nothing else.

There are two steps involved to configure local usernames. The first one is to create the username/password and assign it a privilege level (from 1 to 15, with 15 being the most privileged level). If you don’t specify a privilege level number, it gets the full privilege 15 by default. The second step is to configure your VTY lines (0 to 4) to require a local login access (i.e only a configured user with a valid password can access the router).

Configuration

Router# config t
Router(config)# username Mynetworkadmin privilege 15 secret $Str0ngP@ss$
Router(config)# username Onlymonitoring privilege 1 secret An0ther!Pass34

Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# exit
Router(config)# wr

Just a security tip here, for username select something difficult to guess or something that will not be found in dictionary attacks. For example, words like “admin”, “administrator”, “cisco” etc are not good usernames. A simple dictionary attack from a hacker will find those easily.

The latest Cisco IOS version was 12.4 until recently when Cisco IOS version 15.0 was introduced. Have you noticed the jump from version 12 to 15? Do you wonder why versions 13 and 14 were skipped? Well, rumors say that Cisco avoided those version numbers because 13 is considered unlucky in the Western Culture and 14 is also considered unlucky in the Asian culture !!

As with any version upgrade, there are many new features on this release, most of them you will never use them in your life!! This is a characteristic of IOS anyway. It includes all features under the sun related with networking. It offers much flexibility, but also a lot of unnecessary stuff that you will never user them.

Before upgrading to version 15, I strongly recommend to use the Cisco Feature Navigator tool from cisco.com site in order to verify memory requirements (most important) and also to identify which features are supported.

Here are the release notes for IOS 15.0M and HERE is the main page for this release.

Cisco Catalysts switches equipped with the Enhanced Multilayer Image (EMI) can work as Layer 3 devices with full routing capabilities. Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.

On a Layer3-capable switch, the port interfaces work as Layer 2 access ports by default, but you can also configure them as “Routed Ports” which act as normal router interfaces. That is, you can assign an IP address directly on the routed port. Moreover, you can configure also a Switch Vlan Interface (SVI) with the “interface vlan” command which acts as a virtual layer 3 interface on the Layer3 switch.

On this post I will describe a scenario with a Layer3 switch acting as “Inter Vlan Routing” device together with two Layer2 switches acting as closet access switches. See the diagram below:

Interface Fa0/48 of the Layer3 switch is configured as a Routed Port with IP address 10.0.0.1. Two Vlans are configured on the L3 switch, Vlan10 and Vlan20. For Vlan10 we will create an SVI with IP address 10.10.10.10 and for Vlan20 an SVI with IP address 10.20.20.20. These two IP addresses will be the default gateway addresses for hosts belonging to Vlan10 and Vlan20 on the Layer2 switches respectively. That is, hosts connected on Vlan10 on the closet L2 switches will have as default gateway the IP address 10.10.10.10. Similarly, hosts connected on Vlan20 on the closet switches will have address 10.20.20.20 as their default gateway. Traffic between Vlan10 and Vlan20 will be routed by the L3 Switch (InterVlan Routing). Also, all interfaces connecting the three switches must be configured as Trunk Ports in order to allow Vlan10 and Vlan20 tagged frames to pass between switches. Let’s see a configuration snapshot for all switches below:

Cisco L2 Switch (same configuration for both switches)

!  Create VLANs 10 and 20 in the switch database
Layer2-Switch# configure terminal
Layer2-Switch(config)# vlan 10
Layer2-Switch(config-vlan)# end

Layer2-Switch(config)# vlan 20
Layer2-Switch(config-vlan)# end

!  Assign Port Fe0/1 in VLAN 10
Layer2-Switch(config)# interface fastethernet0/1
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 10
Layer2-Switch(config-if)# end

!  Assign Port Fe0/2 in VLAN 20
Layer2-Switch(config)# interface fastethernet0/2
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 20
Layer2-Switch(config-if)# end

!  Create Trunk Port Fe0/24
Layer2-Switch(config)# interface fastethernet0/24
Layer2-Switch(config-if)# switchport mode trunk
Layer2-Switch(config-if)# switchport trunk encapsulation dot1q
Layer2-Switch(config-if)# end

Cisco Layer 3 Switch

! Enable Layer 3 routing
Layer3-Switch(config) # ip routing

!  Create VLANs 10 and 20 in the switch database
Layer3-Switch# configure terminal
Layer3-Switch(config)# vlan 10
Layer3-Switch(config-vlan)# end

Layer3-Switch(config)# vlan 20
Layer3-Switch(config-vlan)# end

!  Configure a Routed Port for connecting to the ASA firewall
Layer3-Switch(config)# interface FastEthernet0/48
Layer3-Switch(config-if)# description To Internet Firewall
Layer3-Switch(config-if)# no switchport
Layer3-Switch(config-if)# ip address 10.0.0.1 255.255.255.252

!  Create Trunk Ports Fe0/47 Fe0/46
Layer3-Switch(config)# interface fastethernet0/47
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end

Layer3-Switch(config)# interface fastethernet0/46
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end

!  Configure Switch Vlan Interfaces (SVI)
Layer3-Switch(config)# interface vlan10
Layer3-Switch(config-if)# ip address 10.10.10.10 255.255.255.0
Layer3-Switch(config-if)# no shut

Layer3-Switch(config)# interface vlan20
Layer3-Switch(config-if)# ip address 10.20.20.20 255.255.255.0
Layer3-Switch(config-if)# no shut

!  Configure default route towards ASA firewall
Layer3-Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.2