Thursday, October 27, 2011

ASA 5500 SSL VPN Add Licenses to ASA

I recently had to enable some of my mobile Mac clients with Cisco AnyConnect VPN Client for Mac.  Then, of course since the ASA only included 2 SSL VPN licenses and that's what the AnyConnect VPN Client uses I had to purchase some additional licenses.  I purchased the licenses through a reseller & a couple days later they sent me a PDF listing the product (L-ASA-SSL-10= ASA 5500 SSL VPN 10 Premium User License) and a Product Authorization Key.

First, go to the Cisco Product Registration Page and login with your TAC credentials.  In the Product Authorization Key (PAK) field enter the Product Authorization Key from your PDF then click submit.

Next, follow the prompts and agree to their end user license agreement.  You will have to provide the ASA's serial number which can be obtained from the chassis or via show version from the CLI (this is probably the best method as you can copy the S/N from the CLI, then paste it to the authorization screen).

Now wait.

After submitting the required information and verifying other info you'll see the following message indicating that you'll have to wait up to one hour to receive an email with the xxx.  You'd think Cisco would be able to provide this info right away.  Guess not.

You'll be presented with the following helpful message to read while you wait...
Your license and user information will be sent via email within 1 hour to the email address you specified. If you have not received an email within 1 hour, please open a Service Request using the TAC Service Request Tool. Please have your valid Cisco.com user Id and password available. As an alternative, you may also call our main Technical Assistance Center at 800-553-2447.
Please be sure to check your Junk/Spam email folders for this email from licensing@cisco.com with your license key attached.
Fortunately only a few minutes later I received the email with the ASA activation key (which is 77 characters  long) and the following instructions.

Installing Your Cisco Adaptive Security Appliance Activation Key
Step 1.  From the command line interface (CLI), enter configuration mode using the "conf t" command.
Step 2.  Type the "activation-key" command, and then, when prompted, enter the new activation key listed above.
Which I promptly followed.  Now I have 10 licenses with which to connect my clients.  This by the way is a bit of a disappointment as I already had two.  I would have hoped Cisco would have preserved the two gratis WebVPN licenses and added my 10 new ones.  Not so luck.

Friday, October 21, 2011

Cisco AnyConnect VPN Client for Mac

Recently some of our mobile users needed to connect to one of our networks that's protected by a pair of Cisco ASA firewalls.  It was no problem for the Windows users as I already had what I needed in place, however it was a different story for our Mac users.  Since it had been a while since I setup the ASA for AnyConnect for Windows I'd forgotten everything that was needed so I ran into a little trouble.

First, I downloaded the latest AnyConnect VPN client for Mac's from Cisco (anyconnect-macosx-i386-2.5.3055-k9.dmg at the time of this writing), and installed it on a MacBook Pro.

  • Of course, you'll have to have a valid SmartNet agreement and account with Cisco to access these files.
  • And, since the Cisco VPN client only runs on 32 bit Mac's, AnyConnect is the only option for 64 bit Mac's.
With the AnyConnect VPN Client installed on the Mac I launched it and tried to connect to my ASA.  Here's when I ran into my first problem, receiving the message,"The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again."

After a little research I realized I needed to upload the accompanying package (.pkg) file to the ASA.  So I headed back to Cisco to download the package file (anyconnect-macosx-i386-2.5.3055-k9.pkg - must match the version of the AnyConnect VPN Client on the Mac).

With that in hand I copied it to the ASA via TFTP, after, of course, dusting off my (FREE!) SolarWinds TFTP Server I haven't used for quite some time.  Here's the (Cisco) IOS command to copy the file via the terminal:
copy tftp:anyconnect-macosx-i386-2.5.3055-k9.pkg disk0:
Of course you'll have to provide the name/IP address of your TFTP server, which will conveniently be asked.

With that in place I tried again to connect.  However, I had the same problem, again receiving the message,"The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again."  WTF?

Oh, yeah, I had to register the Mac AnyConnect package with the ASA's IOS.  Since I already have the Windows AnyConnect package registered as #1, and since most who connect to my ASA are Windows clients I left that in the first position and registered the Mac package second with the following commands:
config terminal
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
Then, by running show webvpn svc I can see that both the Windows and Mac AnyConnect packages are registered with my ASA.  

And I can successfully connect my Mac clients.  Booyah!!!

Need help adding SSL VPN licenses to your ASA 5500?

Monday, October 10, 2011

Expanding a Virtual Disk on a Dell MD 3000i SAN - How To

If you're like me you don't allocate all disks to a SAN out of the gate.  I like to keep a little in reserve so I can add capacity when needed.  Then, once all the disks are added I'll usually pickup a couple more disks and keep those in reserve.  In either case once it comes time to add capacity to a virtual disk on a Dell MD 3000i SAN it can be a little tricky.

This will be accomplished in two steps.  First add the capacity of one or more physical disks to a disk group.  Next expand the virtual disk.  The first step is rather easy and done through the Modular Disk Storage Manager utility.  Step two is a little tricky as it uses the Dell smcli command line utility.

Step 1 - add one or more drives to a Disk Group
  • Open the Dell Modular Disk Storage Manager utility
  • Click the Modify tab
  • Under the Storage subsection click Add Free Capacity (Physical Disks)
  • Select your disk group, click next
  • Select the capacity/number of disks, click finish
Now if you go back to the Summary tab and click Disk Groups & Virtual Disks you can see that you have free space available.

NOTE: This step can take some time to complete. Depending on the size and type of RAID you are running, it may take several hours or more (even days!) to complete. It will not take the disk group down, but may slow things a bit.  Also, this MUST complete before you can perform the next step!  If you jump the gun and run step two prematurely you'll receive the message, "Error 11 - The operation cannot complete because a virtual disk is performing a modification operation..."

Step 2- Expanding a Virtual Disk
  • Decide how much space to add in Bytes.  You could use a calculator such as this or this bit calculator.
  • On the computer running Dell Modular Disk Storage Manger, open a command prompt.
  • Navigate to Program Files\Dell\MD Storage Manager\client OR Program Files (x86)\Dell\MD Storage Manager\client if you are on a 64 bit machine.
  • Use the smcli command to expand the disk. Examples below.
smcli Syntax: smcli ArrayName -c "set virtualDisk ["virtualdiskname"] addCapacity=virtualdiskcapacityinbytes;"

Example smcli command - assumes the following:
  • MD3000i named SAN1
  • Virtual Disk named Disk1
  • Want to add 500GB to virtual disk
smcli -n SAN1 -c "set virtualdisk [\"Data1\"] addCapacity=536870912000;"
While this expands the capacity of the SAN virtual disk the operating system may not automatically recognize it.  On Windows 2008 server perform the following:
  • Open Server Manager 
  • Go to Storage, Disk Management
  • Right-click the desired Windows volume and select Expand Volume
  • Follow the prompts in the Extend Volume Wizard

Thursday, October 6, 2011

Cisco ASA ASDM Install and Download

A few months ago I got a new work computer.  Since it was a good opportunity to start fresh I didn't transfer all the programs from my old one to the new.  And one of them I neglected to transfer was ASDM.  I wasn't too worried about it since I often manage my ASA firewalls via the terminal using PuTTY.  But I had a need for ASDM recently so I downloaded it and ran it from my computer, but to my chagrin I received the message, "Unable to launch device manager from..."  Crap!

Since I couldn't remember exactly how to download ASDM from my ASA and it took me a bit to figure out.  And since I wanted to upgrade to the latest anyway, I thought I'd write myself a reminder here so in a year or two when I get a new computer I don't have to go through this same trouble again.  I hope others find it useful as well.

First, download the latest ASDM bin file from Cisco (you'll have to have a valid SmartNet contract to access the downloads section).  At the time of this writing the latest version is asdm-645.bin.

With that downloaded use something like TFTP to copy the file to the ASA.
config terminal
copy tftp: disk0:/asdm-645.bin
Next, register the ASDM bin with the ASA.
config terminal
asdm image flash:asdm-645.bin
NOTE: the ASDM version needs to be compatible with the IOS on the ASA.

Finally, access the ASA's admin interface with https://<LAN_interface_IP&rt;/admin.  NOTE: this has to be on the LAN interface, either from a computer running inside the ASA, or for an external computer connect via VPN, then access ASA's LAN interface.

Click the link, "Install ASDM Launcher and Run ASDM."  Follow the steps to install and connect to your ASA.

Wednesday, October 5, 2011

Steve Jobs 1955-2011

I'm no fan of Apple, but as a techie I have a profound respect for Steve Jobs and everything he's done for my industry, for computing in general and for consumer electronics.  Well done Steve!

Monday, October 3, 2011

Amazon ELB & IIS - Capturing Client IP Address

I've been using Amazon EC2's Elastic Load Balancer (ELB) for a couple years now to load balance web applications, and for the most part it's been great.  The one draw back I've run into is that IIS logs the load balancer's private IP address as the c-ip address, rather than the client's actual IP address.  Essentially the ELB acts like a NAT device.  This can be a problem when trying to troubleshoot requests to your IIS sites.  And is just plain annoying.

So I finally did a little digging on this and found a simple and elegant solution.  That is for IIS to log the IP address value of the X-Forwarded-For request header which ELB populates with the client IP address when it forwards the request to IIS.

Start by downloading the IIS X-Forward-For ISAPI Filter from F5 (click here for more information), and extracting the files.  There's a lot here, including source code, but all you need is the appropriate F5XForwardedFor.dll, either x86 (32 bit) or x64 (64 bit).  To make it easy I copied mine to the root of C:\inetpub, i.e. C:\inetpub\F5XForwardedFor2008\x64.

Next, open IIS Manager, highlighting the server name in the Connections pane.  In the <servername> Home pane double-click ISAPI Filters.  Then in the Actions pane (upper-right corner) select Add.  Give the filter a name (I used Xforward) and specify the exact location of the Executable (F5XForwardedFor.dll).

NOTE: by adding this at the server level it will apply to all sites on the server.

Click OK and you're done.  Now, sit back, relax and wait for your server logs to accumulate.  Here's a view of an IIS log after enabling the F5XForwardedFor ISAPI filter.

NOTE: After installing this ISAPI filter I did notice a slight CPU load increase on my IIS servers, around 1-2% more.  Basically my servers average between 10% - 30% under normal load, now they average about 12% - 32%.  Not much, but noticeable, but in my opinion worth the load.