Cisco ASA – Changing the Outside IP Address
KB ID 0001081 Problem I see this question get asked a lot on forums, most people never touch the firewall, ‘if it’s working leave it alone’. And that’s great until you move offices, or get a newer faster (or cheaper) Internet connection. What if you have lots of public IP addresses? What if you have VPN’s (or AnyConnect clients). What’s the best way to do this with a minimum of downtime? Note: If...
Cisco ASA 5500 – Sub Interfaces and VLANS
KB ID 0001085 Problem You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic. In this scenario I’m going to have two VLANs, one for my wired clients, and one for a ‘Guest WiFi’ that I’m setting up. I want the guest...
Cisco ASA – Port Forwarding To A Different Port
Port Translation KB ID 0001087 Problem Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code. A very long time ago I wrote an article about how to port forward from a public IP address to multiple servers for RDP. Basically you would connect to the firewall using various different ports, and the firewall would change the port to the correct one for RDP (TCP port 3389, unless you changed it on the...
Cisco AnyConnect Error “The VPN client driver has encountered an error”
KB ID 0000347 Problem I rolled out AnyConnect for a client this week, and saw this error on one of the clients. Error Reads: The VPN client driver has received an error. Solution A quick search of web forums etc, sent me all over the place, the most promising link told me to do the following, Repair This issue is due to Cisco bug ID CSCsm54689 (registered customers only) . In order to resolve this issue, make sure that Routing and...
Cisco ASA5500 Change the AnyConnect Port
KB ID 0000422 Problem AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443. Why you would NOT want to do this. Bear in mind that https is a well known port, and its open in most places for secure...
AnyConnect – “Error Contacting Host”
KB ID 0000555 Problem I was creating some “Bookmarks” on a client’s AnyConnect web portal last week. They were simply CIFS links to shared folders on his servers so he could access them remotely from his Android tablet PC’s. However every time I clicked a link I got this error; Solution A bit of searching later and I found that in the release notes for version 8.0(4) this was a known problem that had been...
Cisco AnyConnect Error – ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’
KB ID 0000558 Problem Seen when trying to use the AnyConnect client to connect to your Cisco Device. Error: Cisco AnyConnect The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address. Solution Note: Common sense dictates, make sure you actually have internet connectivity first! Essentially this is caused because the AnyConnect client wants to connect to the...
Cisco AnyConnect – Essentials / Premium Licenses. Explained
KB ID 0000628 Problem Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing. When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials. Solution Cisco ASA AnyConnect Premium Licenses. You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client...
Cisco ASA – Configuring for NTP
KB ID 0000608 Problem With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.) Solution Allow internal host(s) to get system time though the firewall. 1. Connect to the ASA, go to “enable...
Cisco AnyConnect – Untrusted VPN Server Blocked!
KB ID 0000651 Problem The newest versions of the AnyConnect client now show you the following; If you are seeing this you’re using the (default) self signed certificate, or you connected to an IP address rather than the FQDN. But unlike before, you can now ‘lower’ the security so it does not warn you every time. Solution 1. From the warning screen (shown above) select ‘Change Settings…’. 2. Untick...