I recently needed to schedule nightly reboots for a Cisco router and I found this article very helpful.
I have been working with a client with multiple sites and up until recently they have been using Watchguards at all sites. Recently we have been switching out some of the Watchguard for Cisco ASA’s but there have been a ton of site to site VPN issues. For example, a tunnel goes down, so you re-key it, it doesn’t come back up, but if you recreate then tunnel on the watchguard side with the exact same settings everything works fine. What is the point of having a Standard if companies aren’t following it. Yeesh.
Here is an interesting article on this:
Apparently even though there have been reported issues with version 3.1 you can not rollback from an upgrade.
So I configured my ASA to provide L2TP remote access VPN. I originally set it up with a local user database and it worked fine. After I decided to tie it in to LDAP so I could authenticate against Active Directory. I set up my LDAp integration and used the built-in test tool to make sure it worked, and it did. However every time I tried to log in with a AD account I got authentication failures. So I eventually gave up and placed a call with Cisco TAC and do you know what I found out? If you want to use LDAP authentication with L2TP RA vpn you have to use PAP because LDAP authentication isn’t supported with CHAP. The practical effect of this is that when your ASA sends the passwords to your DC it is in clear text.
Cisco kind of has you over the barrel when it comes to RA vpn. You could go with SSL vpn but the licences are hideously expensive. You could do IPSec vpn but they don’t have a 64 bit client nor are they planning on making one from what I heard. You could do L2TP but if you want LDAP integration you have to send passwords in clear text unless you set up LDAP over SSL. Not to mention that the ASA’s no longer even support PPTP.
It is more then a little annoying I have to say.
I passed this exam recently which makes me a CCNA Voice now and i wanted to write about my thoughts on this exam.
So this exam focus’s entirely on the UC500 and Communication Manager Express, there is nothing on Unified Communication Manager or on Business Edition. Overall I found the exam challenging but not tricky. I found the focus of the exam more about understanding how things work (call leg’s, dial peer’s, RTP etc) rather than commands and such on how to implement things so really try to understand all the different components of a call.
Time to move on to my CCVP!
Here is a useful link I found for setting up WAN failover on a cisco ASA.
Bear in mind you need a security plus license on a 5505 or 5510 for this to work.
Ok bad news, ASA’s do not support PPTP remote access VPN (though they can pass it through). However they will support L2TP with IPSEC VPN which windows is capable of doing.
Here is a great video tutorial I used for setting it up:
Check it out:
This should make the open source community happy. Frankly why you would endeavour to please the open source community I am not sure. No one ever complains to that Snow Leopard isn’t open source, everyone still loves Mac’s. The demand for “open source” is mostly just a group of malcontents who hate Microsoft’s stranglehold on the industry. Now don’t get me wrong I also hate Microsoft’s stranglehold on the industry, healthy competitions is and always will be the best motivator for innovation but I don’t have to hide that behind some kind of hippy, combuya-singing demand that companies share their corporate secrets because that makes the world a better place.
Check it out:
Wow, really? The fad is finally wearing off? People are now realizing that that there is no good software for this thing? There was no good software for this thing three years ago. I will never understand crazes like this.