Testing AnyConnect With Packet Tracer
KB ID 0001298 Problem Packet tracer is a great tool, I wrote about it in the ‘Prove It’s Not the Firewall’ article a while ago. A couple of months ago I was having a discussion with a colleague about packet tracing a remote VPN client to check connectivity, he said at the time, “It will behave differently if the IP you use is already connected”. I never really thought about it until today, when I was...
Cisco ASA – Packet Tracer Fails VPN:Encrypt:Drop
KB ID 0001198 Problem Sometimes when troubleshooting VPN traffic, you may choose to use the ‘packet-tracer’ command to simulate interesting traffic. I did this today and got; Phase: {number} Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: Drop-reason: (acl-drop) Flow is denied by configured rule I replicated the error on the test bench. Solution Below is the full packet trace;...
Tracking Affiliate Advertising Clicks in Google Analytics
KB ID 0000632 Problem Google Analytics is great at telling you what’s coming into your site, but it’s not designed to tell you what’s going out. For the most part that’s OK, but what if you have affiliate adverts, and you want to track if your visitors are clicking on them, or you want to find out which ones are NOT getting clicked on so you can drop them. Solution 1. First you need to delay the result of the...
Cisco Router – CBAC and Zone Based Firewall Setup
KB ID 0000937 Problem IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS). Solution Run the following command to see if you have the correct license installed....
Cisco ISE – Basic 802.1x With Windows Part Two – Configuring 802.1x Policies
KB ID 0001075 D Problem Back in Part One, we joined Cisco ISE to Active Directory, now we we will take the built in ISE policies and change them. This will allow our clients to authenticate, with the correct protocols. Solution 1. By default ISE will use pretty much any available protocol, we are going to use PEAP, although I’m also going to allow EAP-TLS (it’s more secure and if I start rolling out certificates I’ve...