How to Implement Priority Queuing on the ASA

Posted on March 9, 2012 by Paul Stewart, CCIE 26009 (Security)

Last week, I wrote about one of the typical scenarios that we run into with ASA implementation. As described here, that scenario is one in which the ASA can transmit traffic at 100Mb/s (or 1000Mb/s), but our service provider dropped traffic that was beyond the contract rate. The problem with that was that the ASA, under our administrative control, had no discrimination in the packets that were dropped. The solution to this problem was to move the network bottleneck into the ASA. Then it can drop traffic that is outside the acceptable rate and use a priority queue to bypass other queued packets. This is known as hierarchical priority queuing. Today’s article demonstrates the use of hierarchical priority queuing in the ASA. Continue reading

Posted in security | Tagged , , | 3 Comments

QoS Challenges with VPNs

Posted on March 6, 2012 by Paul Stewart, CCIE 26009 (Security)

Something that comes up regularly are questions regarding QoS on VPN’s. There are several challenges related to QoS in the typical Internet connected environments that I come in contact with. These challenges are not really a result of the VPN configuration, but it is often mission critical traffic that we are trying to prioritize through the VPN. This traffic is competing with other Internet destined traffic. This article is an attempt to outline some of the challenges that we typically run into. We will look at what we can do and outline the things that are beyond our control. This article will not get into the specific configuration of the solutions, but will be a baseline for more technical articles. Continue reading

Posted in security | Tagged , , | 1 Comment

Changes Required for AnyConnect in 8.4

Posted on February 28, 2012 by Paul Stewart, CCIE 26009 (Security)

A few days ago I wrote an article that explained the configuration steps required to implement a basic AnyConnect environment. That article was based on a pre-8.3 version of the ASA OS. Many organizations are starting to implement ASA 8.4 (and skipping over 8.3). This article describes the differences between implementing AnyConnect on 8.4, assuming familiarity with the 8.2 configuration.

Continue reading

Posted in security | Tagged , | Leave a comment

ASA DSCP Preservation with IPSec

Posted on February 24, 2012 by Paul Stewart, CCIE 26009 (Security)

Cisco documents a feature called “DSCP Preservation” in regards to ToS Byte handling on the ASA. This basically means that the ToS Byte is left in tact as packets flow through the firewall. But what happens to the ToS Byte when a VPN is in use? The video below demonstrates that the ASA actually copies the original value found in the ToS byte into the new outer IP header for transport across the public network. Continue reading

Posted in network, security | Tagged , , | 1 Comment

15 Top Paying IT Certifications–Not Really

Posted on February 22, 2012 by Paul Stewart, CCIE 26009 (Security)

Today, I received a newsletter from Global Knowledge. The first article listed was “15 Top Paying IT Certifications for 2012“. I wanted to pose an interpretation to this article. It is not the certifications that are valuable, but what those individuals bring to the table that determines what their worth. For example in the number three position, GK lists the CCDA. This is a single exam that is based more on theory and memorization than practical experience. In the seventh position we find the CCNP certification, earning over $11,000 a year less. Continue reading

Posted in career | Leave a comment

Getting Started with Cisco Anyconnect

Posted on February 21, 2012 by Paul Stewart, CCIE 26009 (Security)

For the last few years, Cisco has been attempting to do away with what they call the Cisco EZVPN client. This has been the solution used by many corporate users in the mobile workforce for secure access to enterprise data. The need for mobility certainly isn’t going away and Cisco has a new solution for this called Anyconnect. While the EZVPN client used IPSec, Anyconnect uses SSL to create a secure tunnel. From the wire, this connection looks very much like accessing any ecommerce site and alleviates some of the challenges of using IPSec in an adhoc basis. In this article, we will start with a very basic ASA configuration and add a very basic Anyconnect configurations. There is actually a command that we can use to show us many of the configuration steps. We will also look at some of the additional items that typically need to be configured to achieve a basic Anyconnect environment. Continue reading

Posted in security | Tagged | 13 Comments

CCIE Routing and Switching Written Exam Resources

Posted on February 14, 2012 by Paul Stewart, CCIE 26009 (Security)

Last week I took and passed the CCIE Routing and Switching Written exam (350-001). The first and foremost reason for taking this exam was to re-certify my current CCIE Security certification. Cisco requires any CCIE level written exam to be passed every two years in order to maintain an active CCIE Status. I also took it with the consideration that I might eventually want to attempt the Routing and Switching Lab. Continue reading

Posted in career | 1 Comment

The Future of the OSI Model

Posted on February 7, 2012 by Paul Stewart, CCIE 26009 (Security)

The OSI model is that thing that everyone seems to love to hate. The OSI is actually just a model that has its roots in the International Organization for Standardization. We’ve all had disagreements how certain protocols map to certain layers. However, it has certainly stood the test of time. What is interesting to me is how the datacenter has and is continuing to transform. When we think about modern datacenters and how virtualization is being introduced, many networks today have actual physical, data link and network layers. On top of that we have the upper 6 layers existing in a virtual infrastructure.

Continue reading

Posted in Uncategorized | Leave a comment

Migrating ASA NAT Exemption Configuration

Posted on January 31, 2012 by Paul Stewart, CCIE 26009 (Security)

NAT exemptions are often required when a single ASA appliance is performing NAT and terminating VPN connections.  In ASA configurations prior to 8.3 and 8.4, NAT exemptions were configured with “nat 0 access-list <acl name>” and a related access-list. Continue reading

Posted in security | Tagged | Leave a comment

ASA L2L VPN Spoke to Spoke Communication

Posted on January 23, 2012 by Paul Stewart, CCIE 26009 (Security)

It seems like some of the more challenging things to do on an ASA involve some sort of traffic being redirected out the same interface it was received on. This article addresses the requirement for spoke to hub to spoke communication for LAN to LAN VPNs.  This is less efficient and should not be used when there are massive amounts of traffic between to spokes.  However if your design requires fewer peers, a more compact configuration and you prefer a simple solution, this article can help you achieve those goals. Although this article specifically addresses the LAN to LAN VPN type, the methods used here can work with other types of VPNs as well (e.g. Anyconnect and IPSec Remote Access).

Continue reading

Posted in security | Tagged | Leave a comment

No SSH After Upgrading to 8.4

Posted on January 16, 2012 by Paul Stewart, CCIE 26009 (Security)

There are several changes when an ASA is upgraded from 8.2 to 8.4(2). The most notable of these are the ones dealing with the syntax of the NAT configuration. However, there is another gotcha that you might not be expecting. SSH will no longer work with the default username of “pix” like it did prior to the upgrade. This article addresses the simple configuration task of rectifying this issue. Ideally, these tasks would be performed prior to an upgrade to avoid the loss of remote connectivity. Continue reading

Posted in security | Tagged | 3 Comments

Typical NAT/PAT Configuration Comparison for ASA 8.4

Posted on January 9, 2012 by Paul Stewart, CCIE 26009 (Security)

A little while back, I posted an article that took a very simple ASA configuration and migrated it to 8.4. This article takes it a step further and focuses on NAT and PAT, as well as the related access control list changes. This only addresses typical static and dynamic source address translation scenarios. Policy based NAT and DMZ configuration will be address in future articles. This is an area of significant change in ASA 8.4.

Continue reading

Posted in security | Tagged | Leave a comment