Tuesday, December 21, 2010

Configure remote access VPN with AD authentication

I created a SlideShare presentation of a step by step configuration of a Cisco ASA remote access VPN configuration with Active Directory Authentication, on a Windows 2003 server.

Using a Windows 2008 server is a little bit different. For example, IAS has been replaced with Network Policy and Access Service.

I have screen shots for a Windows 2008 installation, when I get some time, I'll post them into a SlideShare presentation.

Wednesday, July 7, 2010

I went to Vegas, and all I got was a bunch of t-shirts and a compromised identity.

It was a hectic week in Las Vegas. Sessions and social events from sun up to sun up.

I'll post pictures and videos, shortly. But, I think my identity was compromised!

This evening, I received the following email.

It will be interesting to see if more details surface - to learn what vendor discovered this, how the data was compromised, and what ultimately will be done with the data.

Hopefully, what happens in Vegas, stays in Vegas. No - I doubt it!

Wednesday, June 2, 2010

Implementing Cisco Storage Networking Solutions

After a week of long days, between lecture and labs, I have learned a lot about SAN networking. The chasm between regular route/switch networking and SAN networking isn't that great. But, the terminology is different.

It's like learning a different language. After training your ear to hear the new language, you start to see similarities.

The primary things to remember is that most SANs are layer 2, you cannot allow a packet to be dropped, and you should always secure the connection between the initiator and the target. The rest is biscuits and gravy.

The major difference between the Cisco MDS family and switches and any competitor is that Cisco is the only one that uses VSANs. Everybody else requires separate fabric switches to partition traffic.

I will be studying for this test. Hopefully, passing it, in a couple of weeks.

Thursday, May 20, 2010

Cisco Data Center Application Services Implementation

On Monday, I passed the DCASI test. The only thing I can really say is that I shouldn't wait so long to take the test, after completing the class. It makes it a little more stressful. But, hey, I passed, so who cares.

For the company I work for, this means that we are a single test away from achieving our Data Center Networking Specialization.

Next week, I switch gears into Cisco storage networking by taking the Implementing Cisco Storage Networking Solutions class.

Once this test is passed, this will mean, again, we are a single test away from achieving our Data Center Storage Specialization.

I will need to take the test, quickly after taking the class, because I need to prepare for the CND test.

I will be taking this test at Cisco Live, at the end of June.

It's been a busy first half of the year for me. But, if everything goes as planned, I will have managed to reach my goals of obtaining these two specializations for the company.

Reblog this post [with Zemanta]

Wednesday, April 14, 2010

Getting Geared Up for Cisco Live 2010

Racks of telecommunications equipment in part ...

It's been really busy. I've been focused on sales related activities, and not too much on technical thinking. Once things slow down a little bit, I'm planning on experimenting with ASA Zone Based Firewall configuration. Once I do, I'm sure I'll have something to post.

The Cisco Live Scheduler was opened, yesterday evening. And, I was able to take a stab at what I would like to attend. As you would expect, there are several sessions on Cloud Computing. Let the fun and games begin.

Sunday - 4:00 - 7:00 - Cisco Collaboration Welcome Session & Reception
Monday - 8:00 - 5:00 - Enterprise Network Virtualization
Tuesday - 8:00 - 9:30 - Overlay Transport Virtualization
Tuesday - 10:00 - 11:30 - Keynote and Welcome Address
Tuesday - 12:30 - 2:30 - Security and Virtualization in the Data Center
Tuesday - 2:45 - 3:45 - The Impact of Mass Virtualization on Network Management
Tuesday - 4:00 - 6:00 - DC Architectures and Virtual Private Data Centers with UCS
Wednesday - 8:00 - 10:00 - UCS Networking 201- Deep Dive
Wednesday - 10:30 - 11:30 - Cisco Technology Keynote
Wednesday - 12:30 - 2:30 - Cloud Computing Services Frameworks
Wednesday - 2:45 - 3:45 - The Borderless Enterprise: Driving Innovation from the Core
Wednesday - 4:00 - 6:00 - Design and Deployments of Data center Interconnects using Advanced VPLS
Thursday - 8:00 - 10:00 - Cisco NXOS Software - Architecture
Thursday - 12:00 - 2:00 - Security Challenges of the Virtual Datacenter
Thursday - 2:30 - 4:30 - Near Zero Down Time Architecture Strategies and Technologies for "Always On"...

Somewhere, in this schedule, I will have to find time to take a Cisco test.

Now, on to my day of marathon meetings.

Reblog this post [with Zemanta]

Tuesday, February 16, 2010

Changing the ASDM Port on a Cisco ASA

I very rarely ever use the Cisco GUI ASDM configuration tool. I've been a CLI guy my whole career. There's just something not right about being a Cisco guy, and using the GUI. Almost, always!

Yes, there are some exceptions. For instance, when you want to run the packet tracer utility. You can do it in the CLI, but I wouldn't recommend it. It's way too complicated, and who has time to figure out the hard way, when there's an easy way?

It's also very nice to use ASDM to monitor used system resources on the ASA.

But, what if you have already mapped a static connection using tcp/443 to your outside interface?

In this case, the default ASDM configuration will not work, because the static command will take precedence over the ASDM configuration. So, the default ASDM port will need to be changed from tcp/443 to something else.

You can accomplish this by using the following command:
hostname(config)# http server enable [port]
For instance, to change the ASDM port to tcp/444, use the following statement:
hostname(config)# http server enable 444
Now you will be able to open a web browser and point it to your ASA's external IP address, using port 444. How? Well, let's say your ASA's IP address is You can get to the ASDM by pointing your web browser to:

That will get you where you want to be.

Thursday, February 11, 2010

See you at Cisco Live!

I'll be there. It's in Las Vegas, again. But, that's okay. I think the best Cisco Live conferences are held in Vegas. Not because of the 'nite life', or other adult indiscretions (of which I have no desire to waste my time with). But, because Vegas knows how to accommodate 20,000 socially inept network engineers. There's enough space at the conference centers to allow for the bulky backpacks and the buffet tables.

Now to wait for the scheduler to open, so I can be involved in the geeky equivalent to Black Friday.

What do you look forward to at Cisco Live?

Tuesday, February 2, 2010

Changing TCP Port for Remote Access VPN Connections

Firewalls of the MindImage by beedieu via Flickr

Has it really been almost two months since I've written a blog post? Wow.

I recently experienced an issue with a customer that could not establish a remote access VPN connection to their Cisco ASA from a hotel. The hotel was blocking the standard UDP (500) port, and would not allow the alternate TCP/10000 port, to establish the connection.

Fortunately, this is not the first time I, or Cisco, have experienced this issue.

Using IPSec over TCP, we can control the port on the firewall that will respond to the remote access requests. When the tunnel is established, both VPN devices (Cisco ASA and the VPN client) pass traffic using the same connection.

To change the TCP port that the client will use to connect to the ASA, use the 'isakmp ipsec-over-tcp port' command. The Cisco ASA allows up to ten TCP port to be used for this feature. So, you can keep the default TCP/10000 and add TCP/80, by entering the following command:
crypto isakmp ipsec-over-tcp port 80 10000
Reblog this post [with Zemanta]