Testing AnyConnect With Packet Tracer
KB ID 0001298 Problem Packet tracer is a great tool, I wrote about it in the ‘Prove It’s Not the Firewall’ article a while ago. A couple of months ago I was having a discussion with a colleague about packet tracing a remote VPN client to check connectivity, he said at the time, “It will behave differently if the IP you use is already connected”. I never really thought about it until today, when I was...
AnyConnect – “Connection attempt has failed due to server communication errors’
KB ID 0001279 Problem We had a firewall fail at work this week, as part of the rebuild the latest OS was put on it, version 9.7(1). I thought no more about it until I tried to VPN in and got this; I used my Windows 10 VM and that connected fine, only my MacBook could not connect, this VPN tunnel is a big deal I need it to get onto client’s networks. I tried my other VPN connections and every one was fine, only the recently...
Cisco AnyConnect – Allow Domain Password Change via LDAP
KB ID 0001273 Problem If you have remote users who connect via VPN, and a policy that forces them to change their password periodically, this can result in them getting locked out without the ability to change their password (externally). If your Cisco ASA is using LDAP to authenticate your users, then you can use your remote AnyConnect VPN solution to let them reset their passwords remotely. Solution Standard LDAP runs over TCP...
Cisco – LDAP AAA Error ‘AAA Server has been removed”
KB ID 0001271 Problem Seen while attempting to test AAA authentication via LDAP to a Windows domain Controller. Authentication test to host {IP-Address} failed. Following error occurred – ERROR: Authentication Server not responding: AAA Server has been removed Solution This is a terribly ambiguous error! What it means is that the ASA cannot bind to active directory, either because; The ASA bind account password is wrong. The...
Deploy Cisco FirePOWER Management Center (Appliance)
KB ID 0001263 Problem You have been able to manage your firewalls Internal SFR module for while using the ASDM Setup FirePOWER Services (for ASDM) For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version)....
Cisco ASA – Remote IPSEC VPN With the NCP Entry Client
KB ID 0001260 Problem I’ve covered Cisco IPSEC Remote VPNs a long time ago, and I’ve also blogged about the Cisco IPSEC VPN Client Software. Yes you can get the Cisco VPN Client Working on Windows 10, but can you imagine rolling that out to a few hundred users? The bottom line is Remote Cisco IPSEC VPN is a dead technology, Cisco, (and Me!) want you to use AnyConnect. For a couple of users you can use the work arounds...
Cisco SFR Session – Cannot Exit To Command Line
KB ID 0001259 Problem This tripped me up once before, and I didn’t document it! Normally if you have a console session open with your FirePOWER Module, (that you opened with a ‘session sfr’ command), then you can just quit, and exit back to the firewall by typing ‘exit’, like so; ciscoasa# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is...
Cisco AnyConnect – With Google Authenticator 2 Factor Authentication
KB ID 0001256 Problem This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work. Disclaimer:...
Meraki To Cisco ASA 5500 Site to Site VPN
KB ID 0001255 Problem This was surprisingly easier than I was expecting! Special thanks to Steve for letting me loose on his test network for the Meraki end of the tunnel. Here I’m using an MX 64 Security appliance, and a Cisco ASA 5510. Note: The Meraki device will need a static IP. Solution Configuring Meraki MX Device for VPN to a Cisco ASA From your Meraki dashboard > Security Appliance > Site To Site VPN. If you...
Cisco ASA – Adding New Networks to Existing VPNs
KB ID 0001240 Problem Note: To add new subnets to an AnyConnect Remote Access VPN, see the following article instead; Cisco ASA – Adding New Networks to AnyConnect VPNs I see this get asked in forums A LOT, so I though I’d get around to getting it written up. If you have an existing VPN to a remote site and then need to add another network how do you do it? Well that depends on where the new network is, and how it’s...