FMC – AMP Malware Inspection
KB ID 0001159 Problem If you take a look in your SourceFire dashboard, and there is no data shown on the malware threat section like so; Solution The message is pretty descriptive, and it’s telling you exactly what you need to do. Now I’m making the assumption that you have added a valid AMP / Malware licence like so; Policies > Access Control > Edit your access control policy > Then Edit the file policy. Add in...
AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)
KB ID 0001156 Problem Carrying on from PART 1 Solution Add > Create Before. Edit the Policy Giv the policy set a name and description > Create a new condition. Set Description to Device Type. Equals > All Device Types (The Device Group You Created Above). Add attribute value. Set Description to RADIUS. NAS-Port-Type-[61]. Equals > Virtual. Edit the Authentication Policy. Change the identity source to the the identity...
AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)
KB ID 0001155 Problem To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership. I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only...
Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups
KB ID 0001152 Problem When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular Domain Security Group “VPN-Users”, so I thought I...
Using OSPF over DMVPN
KB ID 0001151 Dtd 03/02/16 Problem This article is a supplement to the earlier one on Setting Up DMVPN. It covers how to use OSPF over the top of DMVPN. This is the topology I’m going to use; As I’ve said (above) this is not a run though on setting up DMVPN, but if you want to spin it up in GNS3, or on the test bench, here’s the DMVPN config; Hub Site configure terminal interface Tunnel10 ip address 192.168.254.1...
Cisco ASDM and Windows 10
KB ID 0001150 Problem Most of the time I’m on my mac for work, but sometimes when the ADSM fails, I switch to a windows VM (in VMware Fusion). I recently upgraded to Windows 10, and for the most part that’s been a painless process. I did notice though, that when I try to run the ADSM, it will let me install the software, then sit there doing nothing? Note: Also see, ASDM on Windows 10: ‘Cannot find Javaw.exe?’...
Route Summarisation with EIGRP
KB ID 0001149 Problem I’ve already written a post that lets you calculate a route summarisation. So now you have a method of advertising your routes more efficiently, what do you do with it? Well I’m at the EIGRP point in my studies so here’s how to implement it with EIGRP. To demonstrate I’ve built the above network on GNS3, there is a loopback interface on the routers for each of those networks. Solution...
Network Summarisation – Exam Technique and Examples
KB ID 0001138 Problem Note: Yes I’m spelling Summarisation with an ’S’ I’m English. Most examples I’ve seen on this give you a bunch of subnets then ask you to come up with a summary route for all of them, (that’s kind of the point of route summarisation, I’ll grant you). However in an exam with a laminated board and the dodgy permanent pen they give you to make notes with, are you seriously expected to...
Cisco ASA – Reverse Route Injection with EIGRP
KB ID 0001137 Problem I’ve followed your Reverse Route Injection article and its not working? This email dropped in my mailbox a while back As it turns out the article I had written was for OSPF, and this chap was using EIGRP. So I ran it up with EIGRP as well to test. Heres my topology, I want to inject the route for the remote site, into my internal EIGRP routing table. Solution Assuming EIGRP is already setup between the ASA...
Cisco IOS – “configuration not allowed when device is not the primary server for vlan database.”
KB ID 0001127 Problem I was trying to delete a VLAN from a client switch, and this was happening; Core-3560#conf t Enter configuration commands, one per line. End with CNTL/Z. Core-3560(config)#no vlan 30 VTP VLAN configuration not allowed when device is not the primary server for vlan database. Solution Now as far as I was aware there was only one switch, (certainly on this LAN segment anyway). What you need to do is change the VTP...