Cisco AnyConnect licensing

09/04/2012

The AnyConnect license comes in two flavours. A very grand mistake that most have made is around the cost.

Essentials @ circa. £400 for 5000 client licenses based on the hardware capability

SSL/IPSEC Client license per active device. This provides both full and split tunneling access to the central point of presence.

Premium @ circa. £180 each for client licenses based on the hardware capability

As above. However, this also includes the secure webtop (similar to a Citrix CAG), secure file access, etc.

The key to remeber, is that  you cannot run esentials and premium on the same box. If you license in one model then that is what you must maintain.

Advertisements

Get Console

08/04/2012

OMG!

This is sheer genius. . .

http://www.get-console.com/

I’ve fallen to the urge of iPAD and the Get Console App. Well what can I say ?

* FANTASTIC *

I have some plans for testing the reverse SSH/Telent aspects. Its really a good use for an iPAD or iPhone. I had a discusssion with a colleague around the functionality and capability. The key function we saw was around the remote support of infrastructure such as a UPS and or the usual network kit. We were soon dreaming up 19″ rack mount docking chassis’s for an iPhone with aditional external aerials to boost the 3G and a soft switch to flip between devices.

Perhaps, I should patent thsi one !


Standard switchport configuration for a client an VoIP

08/04/2012

The provision of standards based configurations on Cisco based hardware deployed across an infrastructure aide in maintaining a deterministic known environment. This post attempts to identify what standard configuration I would apply to provide simple connectivity on a LAN for a single client with a VoIP enabled phone. In this example the client may actually be connected to the back of the phone.

# interface FastEthernet0/1
# description Client Data & VoIP
# switchport access vlan 100
# switchport auto qos voip trust
# switchport mls qos trust dscp
# switchport mode access
# switchport nonegotiate
# no ip address
# spanning-tree portfast
# spanning-tree bpduguard enable

The key thing in using auto qos is the overall understanding. If a packet is marked with class of service then unless a number of variables are applied the configuration will not be trusted further upstream. However, if you mark with DSCP (TOS not COS) then the Layer3 device should honour the markings. Please note that above we have used “auto qos” and then applied “mls qos trust dscp” in that order. If by chance you apply it the other way round then the “auto qos command will write by default an “mls qos trust cos” variable.


Cisco ACE One Arm Mode and identifying Source Nat clients

08/04/2012

I have been working within an environment where keeping it simple is a good  strategy. No matter what strategy, process or good practice you follow there will always be a a “what about ?” Interestingly, I came close to one of these based around the ACE load-balancer and using One-Arm-Mode, with source-nat. The use of the following command will insert a custom header into the packet so that the server in question will have a means to identify the true source address. Why would you ever need this you might ask..? If so your potentially in the wrong job.

# policy-map type loadbalance http first-match WEB_L7_POLICY
# class class-default
# serverfarm www.cheese.com
# insert-http x-forward header-value “%is”


Cisco ASA using FQDN for hosts

08/04/2012

The Cisco ASA allows for the use of fully qualified domain names in access control lists. The ASA has to use DNS as you might expect to resolve names into IP addresses.

# domain-name lab.local
# dns domain-lookup inside
# dns server-group DNS-SVR-GROUP
# name-server 192.168.3.1
# domain-name lab.local
# object network www.cheese.com
# fqdn www.cheese.com
# access-list inside_access_in deny ip any object www.cheese.com
# access-list inside_access_in permit ip any any

It does not seem that Cisco have introduced wildcards yet. However, I wait in anticipation to apply an ACL that will resolve *.cheese.com successfully.

Go on Cisco, you know you have the means


Cisco ACE Access Control Lists

08/04/2012

Whilst working through an issue with Cisco TAC, it was highlighted that in the access control list defined on the ACE an “IP ANY ANY” negates the need for an “ICMP ANY ANY” as ICMP is accounted for within the “IP ANY ANY”.


Cisco ACE re-writing a URL on the fly

07/04/2012

This post was the outcome of an issue where a redirection or a re-write of a URL had to be carried out on the fly. The server in this instance was running a webservice on http which re-directed itself to https. The site had a certificate (ideally a SAN certificate would have been the correct implementation) and we had to present the alternative name to the client. In summary, client goes to website A (mycheese.com) this resolves to the IP of VIP which has a server running website B (mytoast.com). The website has a certificate for only website B. We will re-write the url through the ACE and bypass the client seeing an invalid certificate.

<< Man in the Middle ??>>

# rserver host TOAST-SVR
# ip address 100.100.100.100
# inservice
!
# serverfarm host TOAST-SFARM
# failaction reassign
# predictor leastconns
# rserver TOAST-SVR
# inservice
!
# sticky ip-netmask 255.255.255.255 address both TOAST-STICKY
# timeout 60
# replicate sticky
# serverfarm TOAST-SFARM
!
# action-list type modify http HTTP_CHEESE-on-TOAST_REWRITE
# header rewrite request Host header-value “mycheese.bread.com” replace “mytoast.bread.com”
!
# class-map match-any CHEESE-VIP
# 2 match virtual-address 100.100.100.200 tcp eq www
# 4 match virtual-address 100.100.100.200 tcp eq https
!
# policy-map type loadbalance first-match SLB-CHEESE-POLICY
# description Filter traffic matching the VIP
# class class-default
# sticky-serverfarm TOAST-STICKY
# action HTTP_CHEESE-on-TOAST_REWRITE
!
# Policy <<abridged>>
# class CHEESE-VIP
# loadbalance vip inservice
# loadbalance policy SLB-CHEESE-POLICY
# loadbalance vip icmp-reply active
# nat dynamic 200 vlan 100
!