Finding a satisfying answer.

Posted December 23rd, 2008 by bcarroll and filed in CCIE General
2 Comments

Over the past few days of labbing I noticed that it’s hard to find a satisfying answer sometimes. Depending on the lab I’m working on I figure there are a few options:

-The vendor forums.
-Groupstudy.
-Facebook and Facebook groups.
-Linkedin groups.
-Twitter.
-Blog about it and hope for comments.

If I missed any let me know

My question is this: What has proven to be the best means of support for you? Why?

VPN3k CLI only

Posted December 18th, 2008 by bcarroll and filed in CCIE Security, IE Labs, Studies In VPN
Tags:
Add a Comment

It is possible to configure a L2L session on a VPN3k using CLI only.  It is a completley different configuration.  Here is the summation of it:

  1. Create an SA
  2. Create inbound and Outbound rules for the hosts to be encrypted.
  3. Apply the rules to the public filter with the action of “Apply IPSec” and attach the Security Association.
  4. Create a group with the preshared key.
  5. Set it to type L2L.

Now it seems like a short list but jumping around in the CLI menus makes it tough.

TIP:

When you are looking at the public filter you want to see the
IPSec Rules applied with the Security Association Attached.
Picture 1
Uploaded with plasq‘s Skitch!

New TWTV: Switching Secrets LIVE today at 10 AM PST

Posted December 18th, 2008 by bcarroll and filed in News
Tags:
Add a Comment

There is a new TechwiseTV show today at 10am.  You can check out the embeded intro to the show from Robb Boyd.  It looks to be pretty interesting!

Check out the TWTV Blog as well!

Year End- time to snag some training!

Posted December 16th, 2008 by bcarroll and filed in CCNA Corner, CCNP Study, CCSP Study, General Information, General Training
Add a Comment

For those of you not familiar with learning credits you may be missing out on training.  Check out this page over at Cisco.com that details the program, then go see if you have any that are about to expire.  Contact Ascolta, Cisco Learning Partner of the Year- 2007,  and register for the class you want using the learning credits you already have.  Don’t miss out- they expire after a year!

ascolta-small

You may be interested in these courses in Bellevue, Wa.  Odds are I’ll be teaching them if they are a Security,   Wireless, or Routing and Switching class.

Per-Flow Policing on ASA VPN

Posted December 16th, 2008 by bcarroll and filed in CCIE Security, IE Labs, SNAF, SNPA
Tags: ,
Add a Comment

Tonight I worked on the ASA Per-flow policing.  The configuration is fairly straight forward.  After ensuring that the VPN works create a class-map to match the tunnel-group and the destination-address like so:

class-map vpn_data
match flow ip destination-address
match tunnel-group ezvpn

Next create the policy map to police based on the class we just created:

policy-map outside
class vpn_voice
priority
class vpn_data
police output 256000
class class-default
police output 2000000

Finally activate it on the interface:

service-policy outside interface outside

So while that is pretty simple I did come across a gotcha.  In the IE lab workbook volume 1 it has you create a class-map for vpn_voice, match dscp=ef and the same tunnel-group.  It then wants to apply priority queueing to it.  Here is where it could cause some issues.  When you apply the policy-map to the interface with the priority command configured for a class it give you a really nice error:

asa1(config-pmap-c)# service-policy outside int outside
ERROR: Class vpn_voice has 'priority' set
without 'priority-queue' in any interface

A quick show service-policy indicates that it was not actually enabled:

asa1(config)# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0

So watch out!

TIP:

if you are telling a class that it should priority queue packets
 you need to enable the priority queue on that interface:

asa1(config-if)# priority-queue outside
asa1(config-priority-queue)#

IPexpert CCIE Security Lab 1

Posted December 13th, 2008 by bcarroll and filed in CCIE Security, IPExpert Labs
Tags:
1 Comment

Not a bad lab night.  I only did 2 sections of lab 1, so I am going to continue this post later.  The one thing that was good to be reminded of has to do with Reflexive ACLs.

TIP:

When testing Reflixive ACLs the /source-interface option does not cause the ACL to evaluate.  To test use a different device.

I’ll continue to work through IPexperts lab guide.  The last time I went through this lab was 4/15/07.  I guess It was due.

More later.  :)

IE ASA and SSL VPN woes

Posted December 10th, 2008 by bcarroll and filed in IE Labs
2 Comments

Has anyone done IE volume 1 page 532? It’s ASA SSL vpn with the SVC. I have used sslclient-win-1.0.0.179.pkg, sslclient-win-1.0.2.127.pkg, and sslclient-win-1.1.3.173.pkg and each of them fail. using 1.0.0.179 the browser dies when it tried to download. Using the other two I just get an error pop-up that it failed. See the image below. Any ideas why? Is it a browser setting? Is it something with a windows update? Its really getting on my nerves. I’ve used scrack1 and now scrack6.
Picture 17.jpg

Picture 23.jpg

Anyhow, I guess everyone knows what I am working on right now. I can tell you this, the anyconnect client works much better!

Group-Lock when there is no Group

Posted December 9th, 2008 by bcarroll and filed in CCIE Security
Tags:
Add a Comment

Examine the output below:

asa(config-username)# group-lock value WEBVPN
WARNING: tunnel-group  does not exist
asa(config-username)# sh run username
username CISCO password FFTdXxgak9zQNzNG encrypted
username CISCO attributes
 group-lock value WEBVPN

Notice that a warning is given when a user is locked into a group that doesn’t exist. Although you receive the warning the command is still applied.

ASA tid-bit using the question mark

Posted December 8th, 2008 by bcarroll and filed in CCIE Security
Tags:
1 Comment

No idea how I overlooked this before but I used the question mark on the ASA this evening. Here is my output:

asa(config-group-webvpn)# filter ?

config-group-webvpn mode commands/options:
  none   Specify that no webtype access-list will be used
  value  Specify a valid webtype ACL name

configure mode commands/options:
  activex  ActiveX filtering
  ftp      FTP filtering
  https    HTTPS filtering
  java     Java filtering
  url      HTTP filtering

Notice that I was give help for the mode I was in, config-group-webvpn mode commands/options, as well as configure mode commands/options.  Very Interesting!

CCNA Wireless Eam Certification Guide Review by Packetlife.net

Posted December 8th, 2008 by bcarroll and filed in News, Reading List
Tags:
2 Comments

Just a pointer this morning to a review of my recent book, CCNA Wireless ECG over at Packetlife.net. Nice write-up Stretch!  I appreciate honest reviews as well as the note about following the illustration numbers carefully.  With so many screen-shots and images in the book it is easy to get lost.

If you want to pick up a copy of my book you can find it here at Amazon.com or you can simply InformIT (Pearson Education) .