The AnyConnect license comes in two flavours. A very grand mistake that most have made is around the cost.
Essentials @ circa. £400 for 5000 client licenses based on the hardware capability
SSL/IPSEC Client license per active device. This provides both full and split tunneling access to the central point of presence.
Premium @ circa. £180 each for client licenses based on the hardware capability
As above. However, this also includes the secure webtop (similar to a Citrix CAG), secure file access, etc.
The key to remeber, is that you cannot run esentials and premium on the same box. If you license in one model then that is what you must maintain.
This is sheer genius. . .
I’ve fallen to the urge of iPAD and the Get Console App. Well what can I say ?
* FANTASTIC *
I have some plans for testing the reverse SSH/Telent aspects. Its really a good use for an iPAD or iPhone. I had a discusssion with a colleague around the functionality and capability. The key function we saw was around the remote support of infrastructure such as a UPS and or the usual network kit. We were soon dreaming up 19″ rack mount docking chassis’s for an iPhone with aditional external aerials to boost the 3G and a soft switch to flip between devices.
Perhaps, I should patent thsi one !
I have been working within an environment where keeping it simple is a good strategy. No matter what strategy, process or good practice you follow there will always be a a “what about ?” Interestingly, I came close to one of these based around the ACE load-balancer and using One-Arm-Mode, with source-nat. The use of the following command will insert a custom header into the packet so that the server in question will have a means to identify the true source address. Why would you ever need this you might ask..? If so your potentially in the wrong job.
# policy-map type loadbalance http first-match WEB_L7_POLICY
# class class-default
# serverfarm www.cheese.com
# insert-http x-forward header-value “%is”
The Cisco ASA allows for the use of fully qualified domain names in access control lists. The ASA has to use DNS as you might expect to resolve names into IP addresses.
# domain-name lab.local
# dns domain-lookup inside
# dns server-group DNS-SVR-GROUP
# name-server 192.168.3.1
# domain-name lab.local
# object network www.cheese.com
# fqdn www.cheese.com
# access-list inside_access_in deny ip any object www.cheese.com
# access-list inside_access_in permit ip any any
It does not seem that Cisco have introduced wildcards yet. However, I wait in anticipation to apply an ACL that will resolve *.cheese.com successfully.
Go on Cisco, you know you have the means
Whilst working through an issue with Cisco TAC, it was highlighted that in the access control list defined on the ACE an “IP ANY ANY” negates the need for an “ICMP ANY ANY” as ICMP is accounted for within the “IP ANY ANY”.
This post was the outcome of an issue where a redirection or a re-write of a URL had to be carried out on the fly. The server in this instance was running a webservice on http which re-directed itself to https. The site had a certificate (ideally a SAN certificate would have been the correct implementation) and we had to present the alternative name to the client. In summary, client goes to website A (mycheese.com) this resolves to the IP of VIP which has a server running website B (mytoast.com). The website has a certificate for only website B. We will re-write the url through the ACE and bypass the client seeing an invalid certificate.
<< Man in the Middle ??>>
# rserver host TOAST-SVR
# ip address 100.100.100.100
# serverfarm host TOAST-SFARM
# failaction reassign
# predictor leastconns
# rserver TOAST-SVR
# sticky ip-netmask 255.255.255.255 address both TOAST-STICKY
# timeout 60
# replicate sticky
# serverfarm TOAST-SFARM
# action-list type modify http HTTP_CHEESE-on-TOAST_REWRITE
# header rewrite request Host header-value “mycheese.bread.com” replace “mytoast.bread.com”
# class-map match-any CHEESE-VIP
# 2 match virtual-address 100.100.100.200 tcp eq www
# 4 match virtual-address 100.100.100.200 tcp eq https
# policy-map type loadbalance first-match SLB-CHEESE-POLICY
# description Filter traffic matching the VIP
# class class-default
# sticky-serverfarm TOAST-STICKY
# action HTTP_CHEESE-on-TOAST_REWRITE
# Policy <<abridged>>
# class CHEESE-VIP
# loadbalance vip inservice
# loadbalance policy SLB-CHEESE-POLICY
# loadbalance vip icmp-reply active
# nat dynamic 200 vlan 100