Build a PIX Firewall for your test network
Working with GNS3 and PEMU – (Part 2) KB ID 0000662 Problem In Part 1 we installed and Licensed our Virtual PIX, now we will give it an IP address and get the firewalls web management console running. To complete this procedure you will need to, 1. Have a TFTP server up and running (CLICK HERE). 2. Know how to connect to a Cisco Firewall (CLICK HERE). Solution Step 1 (Add an interface to your host machine) 1. On your host PC/VM...
Cisco Catalyst Switches – Adding Licenses
KB ID 0001012 Problem I had a load of Cisco Catalyst 3560 switches that needed ‘ipbase’ licenses adding to them today. I’ve messed about with plenty of ASA license upgrades before, but not switches. Solution 1. First thing you need is a Cisco PAK, this may be in an email or turn up in a cardboard envelope. 2. Go to http://www.cisco.com/go/license and log in (if you don’t already have a Cisco CCO account you...
Cisco AnyConnect – Adding Multiple VPN Devices to the Client
KB ID 0001011 Problem If you connect to a lot of different firewalls, then constantly having to change the address you are going to can be a pain. Particularly if some clients don’t have a host name for their device, and you can’t remember everyone’s IP addresses. Solution I do this slightly different to most other people, I create a connection file for every endpoint I want to go to, because a) I can transfer them...
Cannot Connect to TCP Port 2000 (Even over VPN)
KB ID 0000027 Problem Note: When going through a Cisco Firewall. Even with all ports open you cannot connect to an application or website that uses TCP Port 2000, TCP Port 2000 allthough above the “well Known” range (i.e. above 1024) is used for SCCP (skinny client control protocol) which is a Cisco voice / phone protocol. If you push web traffic through this port – the firewall gets upset. Solution Option 1 (Via Command...
BT Business Hub 3 – And Cisco ASA 5500
KB ID 0000762 Problem Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution). You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity Solution For this procedure I was...
AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’
KB ID 0000406 Problem While attempting to connect to a Cisco firewall with a Linux client (In my case Ubuntu 10.10,) using AnyConnect you see the following error. Or on MAC OSX Error: Cisco AnyConnect VPN Client The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again. Note: You may also see this error on a Mac OSX, or a Windows CE machine....
Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea
KB ID 0001055 Problem After a large AnyConnect 4 roll-out, I had the following conversation with a client; Client: Can we change the way the clients authenticate? Me: Yes, no problem what do you need? Client: Well instead of user based certificate authentication, we want to use computer certificates only. Me: Really why? Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and...
Cisco – Automatic Re-enrollment Fails to MSCEP/NDES
KB ID 0000970 Problem I’ve covered setting up NDES at length in the past, but what happens when your issued certificates expire? If you are using them for all your VPNs what then? Well thankfully you can get your devices to automatically re-enroll and before they expire, for example to renew the cert at 80% of its lifetime you would use the following; crypto pki trustpoint PNL-TRUSTPOINT enrollment url...
Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication
KB ID 0000688 Problem Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall. I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first. Solution Step 1 Configure the ASA for AAA RADIUS Authentication 1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups. 2....
Cisco ASA Disable ESMTP Inspection
Telnet to Exchange on Port 25 shows a row of Asterisks? KB ID 0000536 Problem Yesterday my colleague Ben called me over to the help-desk and asked “Have you ever seen this before?” This was what was on his screen. 220 *************************************************** Solution Usually when you Telnet to an Exchange server it gives you a 220 message followed by the “Banner” of the Exchange server, a little...