Cisco AnyConnect licensing


The AnyConnect license comes in two flavours. A very grand mistake that most have made is around the cost.

Essentials @ circa. £400 for 5000 client licenses based on the hardware capability

SSL/IPSEC Client license per active device. This provides both full and split tunneling access to the central point of presence.

Premium @ circa. £180 each for client licenses based on the hardware capability

As above. However, this also includes the secure webtop (similar to a Citrix CAG), secure file access, etc.

The key to remeber, is that  you cannot run esentials and premium on the same box. If you license in one model then that is what you must maintain.


Get Console



This is sheer genius. . .

I’ve fallen to the urge of iPAD and the Get Console App. Well what can I say ?


I have some plans for testing the reverse SSH/Telent aspects. Its really a good use for an iPAD or iPhone. I had a discusssion with a colleague around the functionality and capability. The key function we saw was around the remote support of infrastructure such as a UPS and or the usual network kit. We were soon dreaming up 19″ rack mount docking chassis’s for an iPhone with aditional external aerials to boost the 3G and a soft switch to flip between devices.

Perhaps, I should patent thsi one !

Standard switchport configuration for a client an VoIP


The provision of standards based configurations on Cisco based hardware deployed across an infrastructure aide in maintaining a deterministic known environment. This post attempts to identify what standard configuration I would apply to provide simple connectivity on a LAN for a single client with a VoIP enabled phone. In this example the client may actually be connected to the back of the phone.

# interface FastEthernet0/1
# description Client Data & VoIP
# switchport access vlan 100
# switchport auto qos voip trust
# switchport mls qos trust dscp
# switchport mode access
# switchport nonegotiate
# no ip address
# spanning-tree portfast
# spanning-tree bpduguard enable

The key thing in using auto qos is the overall understanding. If a packet is marked with class of service then unless a number of variables are applied the configuration will not be trusted further upstream. However, if you mark with DSCP (TOS not COS) then the Layer3 device should honour the markings. Please note that above we have used “auto qos” and then applied “mls qos trust dscp” in that order. If by chance you apply it the other way round then the “auto qos command will write by default an “mls qos trust cos” variable.

Cisco ACE One Arm Mode and identifying Source Nat clients


I have been working within an environment where keeping it simple is a good  strategy. No matter what strategy, process or good practice you follow there will always be a a “what about ?” Interestingly, I came close to one of these based around the ACE load-balancer and using One-Arm-Mode, with source-nat. The use of the following command will insert a custom header into the packet so that the server in question will have a means to identify the true source address. Why would you ever need this you might ask..? If so your potentially in the wrong job.

# policy-map type loadbalance http first-match WEB_L7_POLICY
# class class-default
# serverfarm
# insert-http x-forward header-value “%is”

Cisco ASA using FQDN for hosts


The Cisco ASA allows for the use of fully qualified domain names in access control lists. The ASA has to use DNS as you might expect to resolve names into IP addresses.

# domain-name lab.local
# dns domain-lookup inside
# dns server-group DNS-SVR-GROUP
# name-server
# domain-name lab.local
# object network
# fqdn
# access-list inside_access_in deny ip any object
# access-list inside_access_in permit ip any any

It does not seem that Cisco have introduced wildcards yet. However, I wait in anticipation to apply an ACL that will resolve * successfully.

Go on Cisco, you know you have the means

Cisco ACE Access Control Lists


Whilst working through an issue with Cisco TAC, it was highlighted that in the access control list defined on the ACE an “IP ANY ANY” negates the need for an “ICMP ANY ANY” as ICMP is accounted for within the “IP ANY ANY”.

Cisco ACE re-writing a URL on the fly


This post was the outcome of an issue where a redirection or a re-write of a URL had to be carried out on the fly. The server in this instance was running a webservice on http which re-directed itself to https. The site had a certificate (ideally a SAN certificate would have been the correct implementation) and we had to present the alternative name to the client. In summary, client goes to website A ( this resolves to the IP of VIP which has a server running website B ( The website has a certificate for only website B. We will re-write the url through the ACE and bypass the client seeing an invalid certificate.

<< Man in the Middle ??>>

# rserver host TOAST-SVR
# ip address
# inservice
# serverfarm host TOAST-SFARM
# failaction reassign
# predictor leastconns
# rserver TOAST-SVR
# inservice
# sticky ip-netmask address both TOAST-STICKY
# timeout 60
# replicate sticky
# serverfarm TOAST-SFARM
# action-list type modify http HTTP_CHEESE-on-TOAST_REWRITE
# header rewrite request Host header-value “” replace “”
# class-map match-any CHEESE-VIP
# 2 match virtual-address tcp eq www
# 4 match virtual-address tcp eq https
# policy-map type loadbalance first-match SLB-CHEESE-POLICY
# description Filter traffic matching the VIP
# class class-default
# sticky-serverfarm TOAST-STICKY
# Policy <<abridged>>
# class CHEESE-VIP
# loadbalance vip inservice
# loadbalance policy SLB-CHEESE-POLICY
# loadbalance vip icmp-reply active
# nat dynamic 200 vlan 100