Cisco ASA – Active / Active Failover
KB ID 0001114 Usually when I’m asked to setup Active/Active I cringe, not because its difficult, its simply because people assume active/active is better than active/standby. I hear comments like ‘we have paid for both firewalls lets use them’, or ‘I want to sweat both assets’. The only real practical use cases I can think of for Active /Active are; You have a multi-tenancy environment and want to offer...
Cisco IOS – Setting Up DHCP Scopes
KB ID 0001112 I usually only have to do this on very small sites, or occasionally on the test bench. Most of the time we will have a server sat doing DHCP. The procedure below was carried out on a router, but the procedure is the same for a catalyst switch. By default DHCP is disabled, you have to turn it on, then create a ‘dhcp pool.’ Petes-Router(config)#service dhcp Petes-Router(config)#ip dhcp pool DATA-VLAN-10 Then...
Build a PIX Firewall for your test network
Working with GNS3 and PEMU – (Part 2) KB ID 0000662 Problem In Part 1 we installed and Licensed our Virtual PIX, now we will give it an IP address and get the firewalls web management console running. To complete this procedure you will need to, 1. Have a TFTP server up and running (CLICK HERE). 2. Know how to connect to a Cisco Firewall (CLICK HERE). Solution Step 1 (Add an interface to your host machine) 1. On your host PC/VM...
Cisco Catalyst Switches – Adding Licenses
KB ID 0001012 Problem I had a load of Cisco Catalyst 3560 switches that needed ‘ipbase’ licenses adding to them today. I’ve messed about with plenty of ASA license upgrades before, but not switches. Solution 1. First thing you need is a Cisco PAK, this may be in an email or turn up in a cardboard envelope. 2. Go to http://www.cisco.com/go/license and log in (if you don’t already have a Cisco CCO account you...
Cisco AnyConnect – Adding Multiple VPN Devices to the Client
KB ID 0001011 Problem If you connect to a lot of different firewalls, then constantly having to change the address you are going to can be a pain. Particularly if some clients don’t have a host name for their device, and you can’t remember everyone’s IP addresses. Solution I do this slightly different to most other people, I create a connection file for every endpoint I want to go to, because a) I can transfer them...
Cannot Connect to TCP Port 2000 (Even over VPN)
KB ID 0000027 Problem Note: When going through a Cisco Firewall. Even with all ports open you cannot connect to an application or website that uses TCP Port 2000, TCP Port 2000 allthough above the “well Known” range (i.e. above 1024) is used for SCCP (skinny client control protocol) which is a Cisco voice / phone protocol. If you push web traffic through this port – the firewall gets upset. Solution Option 1 (Via Command...
BT Business Hub 3 – And Cisco ASA 5500
KB ID 0000762 Problem Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution). You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity Solution For this procedure I was...
AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’
KB ID 0000406 Problem While attempting to connect to a Cisco firewall with a Linux client (In my case Ubuntu 10.10,) using AnyConnect you see the following error. Or on MAC OSX Error: Cisco AnyConnect VPN Client The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again. Note: You may also see this error on a Mac OSX, or a Windows CE machine....
Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea
KB ID 0001055 Problem After a large AnyConnect 4 roll-out, I had the following conversation with a client; Client: Can we change the way the clients authenticate? Me: Yes, no problem what do you need? Client: Well instead of user based certificate authentication, we want to use computer certificates only. Me: Really why? Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and...
Cisco – Automatic Re-enrollment Fails to MSCEP/NDES
KB ID 0000970 Problem I’ve covered setting up NDES at length in the past, but what happens when your issued certificates expire? If you are using them for all your VPNs what then? Well thankfully you can get your devices to automatically re-enroll and before they expire, for example to renew the cert at 80% of its lifetime you would use the following; crypto pki trustpoint PNL-TRUSTPOINT enrollment url...