Cisco FirePOWER Management Center Appliance – Allowing Domain Authentication
KB ID 0001117 Problem Once deployed, authentication is handled by the appliances own internal user database, in larger organisations this is a little impractical. So the ability to create an Active Directory Group, and delegate access to Firesight to members of that group is a little more versatile. Solution I’m making the assumption that the appliance does not already have external authentication setup at all, so I’ll...
Cisco ASA – Gernerate RSA Keypair From ASDM
KB ID 0001322 Problem I’ve lost count of the number of times this has happened to me! Most of my colleagues prefer to use the ASDM for remote management, but if (like me) you work at command line, then sometimes people <ahem> forget to generate the RSA keypair when deploying a firewall. Then even if SSH access and AAA is setup correctly, you still can’t get in via SSH. Instead you see the following; RoyalTS and...
Updating the AnyConnect client for Deployment from the Cisco ASA 5500
KB ID 0000704 Problem Your ASA will (by default) update your AnyConnect clients to the latest client software when they connect. However you need to supply the ASA with the updated packages first. Solution 1. Download the latest AnyConnect client package, from Cisco. The one you want will have a file extension of .pkg AnyConnect 4 AnyConnect 3 2. Connect to the ASDM > Configuration > Remote Access VPN > Network (Client)...
Cisco ASA: ‘ERROR: Multiple Peers can be specified only with originate-only connections’
KB ID 0001316 Problem This week I had a client who had a head office and three satellite sites. They had old firewalls (a 5510 and 5505’s), and my firm had installed FTTC circuits, into the sites for them. My job was to reconfigure the firewalls and the site to site VPN tunnels (each site had a tunnel to the other sites), then disconnect their old ADSL connections, change the firewalls public IP, then connect to the shiny new...
Cisco – Joining Layer 2 Networks Over Layer 3 Networks
KB ID 0001313 Problem It’s a common problem, you want to connect one site to another and still have them on the same layer 2 network. As you can see above both the routers at the bottom are in the 172.16.1.0/24 network, let’s assume they are clients in the same layer 2 network how would you connect them? Solution Option 1: xconnect over L2TP All the ‘heavy lifting’ is done on the SiteA and SiteB routers. We...
Testing AnyConnect With Packet Tracer
KB ID 0001298 Problem Packet tracer is a great tool, I wrote about it in the ‘Prove It’s Not the Firewall’ article a while ago. A couple of months ago I was having a discussion with a colleague about packet tracing a remote VPN client to check connectivity, he said at the time, “It will behave differently if the IP you use is already connected”. I never really thought about it until today, when I was...
Cisco IOS – Enabling LLDP
KB ID 0001289 Problem If you’re running Cisco IOS on all you devices then you can use CDP to see what’s directly connected, (unless you are on a Cisco firewall, but I did say IOS devices). Petes-Switch#show cdp neighbors Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone, D – Remote, C...
Cisco FirePOWER is Blocking an Application
KB ID 0001286 Problem A few weeks ago I installed a 5525-X firewall for a client, and set it up as follows; ASA Setup FirePOWER Services (for ASDM) And all was well, then a week later I got an email… One of our teachers is doing a project with MATHS and ICT involving bitcoin. Basically, he has something called BITCOIN CORE WALLET installed and it used to work with the old Firewall. I’ve installed it on my work laptop and taken...
AnyConnect – “Connection attempt has failed due to server communication errors’
KB ID 0001279 Problem We had a firewall fail at work this week, as part of the rebuild the latest OS was put on it, version 9.7(1). I thought no more about it until I tried to VPN in and got this; I used my Windows 10 VM and that connected fine, only my MacBook could not connect, this VPN tunnel is a big deal I need it to get onto client’s networks. I tried my other VPN connections and every one was fine, only the recently...
Cisco AnyConnect – Allow Domain Password Change via LDAP
KB ID 0001273 Problem If you have remote users who connect via VPN, and a policy that forces them to change their password periodically, this can result in them getting locked out without the ability to change their password (externally). If your Cisco ASA is using LDAP to authenticate your users, then you can use your remote AnyConnect VPN solution to let them reset their passwords remotely. Solution Standard LDAP runs over TCP...