Did you Miss our vLectures that were scheduled for this week & last week? No worries!

All our vLecture sessions are recorded and available for those who have missed our FREE CCIE vLectures and for participants who want to review the vLecture sessions again. We have saved the session recordings for you. Watch our world renowned CCIE instructors explaining specific technical topic in our technology-focused classes and capture the technical knowledge needed to increase your chances of passing CCIE exam.

CCIE Security

• Instructor: Tyson Scott
• Topic: VRF Aware VPN
• Link: http://ipexpert.acrobat.com/p72556833/

CCIE Routing & Switching & CCIE Service Provider

• Instructor: Marko Milivojevic
• Topic: Frame Relay
• Link: http://ipexpert.acrobat.com/p65152326/

• Instructor: Marko Milivojevic
• Topic: Interdomain Multicast Routing
• Link: http://ipexpert.acrobat.com/p12735927/

Do not miss our vLectures scheduled for the coming weeks. If you’re an IPexpert client and wish to join these sessions, please be sure to reserve a “virtual seat” now, these have been highly anticipated and we’re quite confident that these online training seats will fill up quickly.

Have you ever wanted to attend one of IPexpert’s industry-leading CCIE classes?
Have you ever had problems really understanding a specific technical topic?

Do you want to improve your chances at pass the CCIE Lab?

Do you want to see why IPexpert’s  CCIE instructors are considered the best in the training industry?

Do you want IPexpert, the company who has trained more CCIEs in the world, to help you?

…How would you like some FREE CCIE Lab training?

IPexpert is now offering FREE online training sessions to all IPexpert clients. If you want to improve your chances at passing Cisco’s rigorous and prestigious CCIE certifications, or if you simply want to fully-understand a specific technical topic – you can’t miss our FREE Online vLectures! Several times a week, you will be able to sit in, watch and interact with the IPexpert Instructor who will be teaching technology-focused classes on a specific track and topic. If you’re an IPexpert client and wish to join these sessions, please be sure to reserve a “virtual seat” now, these have been highly anticipated and we’re quite confident that these online training seats will fill up quickly.

CCIE Security:

• Date / Time: Aug 31^st at 4 PM EST
• Instructor:  Tyson Scott
• Topic: VRF Aware VPN

• Date / Time: Sept 7^th at 2 PM EST
• Instructor:  Tyson Scott
• Topic: Troubleshooting IPset

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Routing and Switching:

• Date / Time: Sept 2^nd at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: RIP

• Date / Time: Sept 10^th at 2 PM EST
• Instructor:  Marko Milivojevic
• Topic: Routing protocol redistribution

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Service Provider:

• Date / Time: Sept 2^nd at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: RIP

• Date / Time: Sept 10^th at 2 PM EST
• Instructor:  Marko Milivojevic
• Topic: Routing protocol redistribution

If you’re interested in this FREE online session, click here to Schedule Now!

Have you ever wanted to attend one of IPexpert’s industry-leading CCIE classes?
Have you ever had problems really understanding a specific technical topic?

Do you want to improve your chances at pass the CCIE Lab?

Do you want to see why IPexpert’s  CCIE instructors are considered the best in the training industry?

Do you want IPexpert, the company who has trained more CCIEs in the world, to help you?

…How would you like some FREE CCIE Lab training?

IPexpert is now offering FREE online training sessions to all IPexpert clients. If you want to improve your chances at passing Cisco’s rigorous and prestigious CCIE certifications, or if you simply want to fully-understand a specific technical topic – you can’t miss our FREE Online vLectures! Several times a week, you will be able to sit in, watch and interact with the IPexpert Instructor who will be teaching technology-focused classes on a specific track and topic. If you’re an IPexpert client and wish to join these sessions, please be sure to reserve a “virtual seat” now, these have been highly anticipated and we’re quite confident that these online training seats will fill up quickly.

CCIE Security:

• Date / Time: Aug 31^st at 2 PM EST
• Instructor:  Tyson Scott
• Topic: VRF Aware VPN

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Routing and Switching:

• Date / Time: Aug 24^th at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: Frame Relay – From Basics to QoS

• Date / Time: Sept 2^nd at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: RIP

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Service Provider:

• Date / Time: Aug 24^th at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: Frame Relay – From Basics to QoS

• Date / Time: Sept 2^nd at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: RIP

If you’re interested in this FREE online session, click here to Schedule Now!

I remember a time when I taught a class called CIT (Cisco Internetwork Troubleshooting) and there was a wonderful rule that made all the students sweat a little more and all the instructors give that old Dr.Claw laugh (From Inspector Gadget if you have no idea what I’m talking about).  Essentially it allowed the Instructor to do things that were really mean and evil and forced the students NOT to take the easy way out.  What was that rule?  When troubleshooting you may NOT use the command Show Running-Config or any variant of it.

Some of you are thinking….wow- I would be lost.  To be honest I would be as well depending on the technology and the situation I’m in.  So I won’t burden you with that rule.  However, I would like to share a command that does’t just give you the running configuration on the ASA, rather it gives you the “real” running configuration.  What am I talking about?  Well, simply put- show run all…

That’s right!  While many of you know this deep dark secret (it’s not really a secret)  other don’t.  So there ya go!  A little tipt to put in your tip jar.

So the next time the boss says, “Man I cant remember the syntax of the default group policy on our ASA,” you can quickly respond with…

(type..type..type…)

ciscoasa# sh run all group-policy

group-policy DfltGrpPolicy internal

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

ipv6-vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

<--- More --->

“It’s DfltGrpPolicy boss.  Anything else you need before I head to lunch?”

-Regards

Brandon Carroll – CCIE #23837

Couple of months ago, I wrote an article on various convenient methods of accessing ProctorLabs CCIE rack rental devices. That article focused on Windows users. This is part two of that series, with focus on students using Mac or Linux.

The biggest challenge for Mac and Linux users is selecting good terminal program to use. There are many choices, but they all share almost the same difficulty – lack of consistency in supporting “bookmarks”, or in some cases, even the basic lack of support for tabs.

With this in mind, we looked into what these platforms had in common and we found one thing. By default, they all support CLI access to terminal, regardless of which application is in use. Many power users are quite happy to use command line to access our rack rental anyway. Capitalizing on that and making that single task is the approach we took. Before I examine that in more detail, here is something very nice for our Mac users.

SecureCrt for Mac

SecureCRT beta is now available for download from the manufacturer, VanDyke. We tested our bookmark set with Mac version and it works flawlessly! Good job, VanDyke.

You can download SecureCRT bookmarks from here: ProctorLabs-SecureCRT.zip

IPexpert’s PodConnect

IPexpert’s approach to remote Pod access from Mac and Linux is quite simple. When you are in your CLI, simply type the command “PodConnect.pl r1″ and you will be connected to the R1 on the ProctorLabs pod you choose as default. If you specified your username and password, PodConnect will log you in. You are now ready to work. Take a look at the example session I use:

Mac ~> PodConnect.pl r2
Trying 74.126.20.111...
Won't send login name and/or authentication information.
Connected to pod111ts1.proctorlabs.com.
Escape character is '^]'.

         ****PROCTOR LABS, INC. SECURE ONLINE RACK SYSTEM****
      WELCOME to Proctor Labs, Inc. CCIE preparation vRack.

    WARNING:  This system is for the use of authorized clients only.
          Unauthorized access is a violation of federal, state,
                        civil and criminal laws.

http://www.ProctorLabs.com

User Access Verification

Username: myusername
Password: 

            You are on line number: 2

R2#

That’s all I have to do. Regardless of the terminal emulator program I use, it will work. Here’s how you install it.

• Make sure you have Perl installed.
• Make sure you have Expect and Perl Expect module installed.
• Download the PodConnect.zip file.
• Unzip the file into the folder in your path. Personally, I use $HOME/bin for this
• Make the file executable: chmod 700 PodConnect.pl
• Try it out!

If you run PodConnect.pl, you will probably notice error message telling you that you need to specify the Pod. You can do that after the device name. For example, running “PodConnect.pl r1 111″, will connect you to the R1 on Pod #111. You can set the default pod by setting “PL_POD” environment variable.

Once you run the Pod, if environment variable PL_USERNAME and PL_PASSWORD are set, PodConnect.pl will attempt to automatically log you in using those credentials. If those variables are not set, you will need to log-in manually.

To make things even quicker, here are couple of tricks you can do. Add the following lines to your $HOME/.profile:

alias c="$HOME/bin/PodConnect.pl"
export PL_POD="111"
export PL_USERNAME="myusername"
export PL_PASSWORD="mypassword"

Next time you open the terminal, you should be able to connect to ProctorLabs devices in your pod by simply typing “c device”, like this:

Mac ~> c r2
Trying 74.126.20.111...
Won't send login name and/or authentication information.
Connected to pod111ts1.proctorlabs.com.
Escape character is '^]'.

         ****PROCTOR LABS, INC. SECURE ONLINE RACK SYSTEM****
      WELCOME to Proctor Labs, Inc. CCIE preparation vRack.

    WARNING:  This system is for the use of authorized clients only.
          Unauthorized access is a violation of federal, state,
                        civil and criminal laws.

http://www.ProctorLabs.com

Username: myusername
Password: 

            You are on line number: 2

R2#

NOTE: If you store your password in .profile, make sure the file is readable only by your user account. The best way to ensure this is to set permissions to 600 on it (chmod 600 ~/.profile).

Enjoy your studies!

–
Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List

Have you ever wanted to attend one of IPexpert’s industry-leading CCIE classes?
Have you ever had problems really understanding a specific technical topic?

Do you want to improve your chances at pass the CCIE Lab?

Do you want to see why IPexpert’s  CCIE instructors are considered the best in the training industry?

Do you want IPexpert, the company who has trained more CCIEs in the world, to help you?

…How would you like some FREE CCIE Lab training?

IPexpert is now offering FREE online training sessions to all IPexpert clients. If you want to improve your chances at passing Cisco’s rigorous and prestigious CCIE certifications, or if you simply want to fully-understand a specific technical topic – you can’t miss our FREE Online vLectures! Several times a week, you will be able to sit in, watch and interact with the IPexpert Instructor who will be teaching technology-focused classes on a specific track and topic. If you’re an IPexpert client and wish to join these sessions, please be sure to reserve a “virtual seat” now, these have been highly anticipated and we’re quite confident that these online training seats will fill up quickly.

CCIE Security:

• Date / Time: Aug 10^th at 10 AM EST
• Instructor:  Tyson Scott
• Topic: DMVPN

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Voice:

• Date / Time: Aug 12^th at 1 PM EST
• Instructor:  Vik Mahli
• Topic: Cube

• Date / Time: Aug 17^th at 4 PM EST
• Instructor:  Amy Ryan
• Topic: Unity Connections Integrations

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Routing and Switching:

• Date / Time: Aug 19^th at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: Interdomain Multicast Routing

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Service Provider:

• Date / Time: Aug 19^th at 10 AM EST
• Instructor:  Marko Milivojevic
• Topic: Interdomain Multicast Routing

If you’re interested in this FREE online session, click here to Schedule Now!

Did you Miss our vLectures that were scheduled for this week & last week? No worries!

All our vLecture sessions are recorded and available for those who have missed our FREE vLecture and for participants who want to review the vLectures sessions again. We have saved the session recordings for you. Watch our world renowned CCIE instructors explaining specific technical topic in our technology-focused classes and capture the technical knowledge needed to increase your chances of passing CCIE exam.

CCIE Security

• Instructor: Tyson Scott
• Topic: ASA & IOS based NAT
• Link: http://ipexpert.acrobat.com/p92268115/

Do not miss our vLectures scheduled for the coming weeks. If you’re an IPexpert client and wish to join these sessions, please be sure to reserve a “virtual seat” now, these have been highly anticipated and we’re quite confident that these online training seats will fill up quickly.

Have you ever wanted to attend one of IPexpert’s industry-leading CCIE classes?
Have you ever had problems really understanding a specific technical topic?

Do you want to improve your chances at pass the CCIE Lab?

Do you want to see why IPexpert’s  CCIE instructors are considered the best in the training industry?

Do you want IPexpert, the company who has trained more CCIEs in the world, to help you?

…How would you like some FREE CCIE Lab training?

IPexpert is now offering FREE online training sessions to all IPexpert clients. If you want to improve your chances at passing Cisco’s rigorous and prestigious CCIE certifications, or if you simply want to fully-understand a specific technical topic – you can’t miss our FREE Online vLectures! Several times a week, you will be able to sit in, watch and interact with the IPexpert Instructor who will be teaching technology-focused classes on a specific track and topic. If you’re an IPexpert client and wish to join these sessions, please be sure to reserve a “virtual seat” now, these have been highly anticipated and we’re quite confident that these online training seats will fill up quickly.

CCIE Security:

• Date / Time: Aug 8^th at 10 AM EST
• Instructor:  Tyson Scott
• Topic: DMVPN

If you’re interested in this FREE online session, click here to Schedule Now!

CCIE Voice:

• Date / Time: Aug 12th at 1 PM EST
• Instructor:  Vik Mahli
• Topic: Cube

If you’re interested in this FREE online session, click here to Schedule Now!

We’re pleased to announce the launch of a service that’s been requested for years, a CCIE job / recruiting service. In the past we’ve attempted to partner with various firms, but in the end – it just didn’t work. So – if you’re a CCIE (or even a CCVP or CCNP) and you’re seeking a new job or interested in hearing about new career opportunities – or, if you’re on the opposite end of the spectrum and you’re the company, organization (or even another recruiting firm) looking for the ideal high-end CCIE for a job opening you have – I encourage you to visit Platinum Placement Services. You can also follow their Facebook, Twitter and LinkedIn social initiatives where various CCIE jobs will be posted periodically.

- Wayne

This post will provide a brief overview of a seldom referred to part of the ASA, the Accelerated Security Path (ASP). As we know the ASA’s Adaptive Security Algorithm is responsible for inspecting all traffic that traverses the ASA, and based on its configured security policies will either permit or deny the traffic.

As a new connection enters the ASA it is processed using the Session Management Path.

Part of the Session Management Path’s processing is to inspect and create the relevant entry in the ASA’s state/connection table, if a policies exists allowing the traffic.

Generally any further packets received for these established connections, does not require further inspection and are subsequently handled by the Fast Path. Although, there may be certain packets that would continue to use the session management path or be passed to the control plane path, such as flows requiring HTTP inspection, FTP or H.232 etc.

This is akin to Process switching and CEF switching in IOS Routers.

The Session Management Path and Fast Path combined are what make up the Accelerated Security Path.

ASP can come in handy when we want to troubleshoot traffic flows through the ASA. This is done via a suite of ASP show commands, and can also be incorporated into packet captures, using a capture type of asp-drop.

With ASP debugging we can drill down into the output to see what functions or methods are responsible for dropping the traffic on the ASA. There are two set of commands available to us, both of which have a substantial amount of optional keywords; these are, ‘show asp drop’ and show asp table’.

Starting with ‘show asp drop’ will give us a summary of packets or connections that have been denied by ASP providing an associated reason and hits on each. As we can see from the output below it is split into 2 sections; Frame Drop – which is based on packet failures; and Flow Drop – based on inspected traffic flow failures.

It gives us a brief breakdown of denies based on malformed TCP sessions, Reverse Path Forwarding violations, or simply denies based on ACL entries etc.

ASA# show asp drop
Frame drop:
Reverse-path verify failed (rpf-violated)                                 1432
Flow is denied by configured rule (acl-drop)                         100495787
First TCP packet not SYN (tcp-not-syn)                                    2234
TCP failed 3 way handshake (tcp-3whs-failed)                                20
TCP packet SEQ past window (tcp-seq-past-win)                               28
TCP replicated flow pak drop (tcp-fo-drop)                                   8
TCP RST/SYN in window (tcp-rst-syn-in-win)                                   2
TCP packet failed PAWS test (tcp-paws-fail)                                  3
Slowpath security checks failed (sp-security-failed)                         1
Expired flow (flow-expired)                                                  2
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          6
FP L2 rule drop (l2_acl)                                               7911378
Interface is down (interface-down)                                        1143
Dropped pending packets in a closed socket (np-socket-closed)               19
Last clearing: Never
Flow drop:
Inspection failure (inspect-fail)                                            2
Last clearing: Never

You can also further drill into more specific output using optional keywords, based on either frame or flow drop, such as “show asp drop frame ifc-classify” – when in virtual firewall mode shows counts for packets that failed to be classified to context; or “show asp drop flow conn-limit-exceeded” – increments when the value applied to set connection conn-max is breached.

These are just a couple of the vast amount of options available for use. Check out the ASA Command Reference document for a full listing.

A key point with the ASP drop output is when running in Multi Context Mode, the information provided is a summary for all of the virtual contexts not just the context you are currently logged into.

The other side of ASP is the “show asp table” commands. These are typically used by TAC, so contain a great deal of info on a production appliance. These tables are primarily used for debugging, so the output is prone to regular changes.

Below are the asp tables available:

ASA# show asp table ?
arp
classify    Show ASP classifier tables
interfaces  Show ASP interfaces tables
routing     Show ASP route tables
socket      Show ASP socket info

The “show asp table arp” for instance can be used to check that traffic is flowing to/from a specific host/s based on an incrementing hit count. It is important to remember that this is dynamic real time output though and will be subject to resetting.

ASA# sh asp table arp
Context: LEFT, Interface: Inside
10.1.1.66                            Active   0050.56a5.35b9 hits 15
10.1.1.65                            Active   0050.56a5.7d06 hits 0

The “show asp table routing” can give us further info into how specific nets are routed. This is provided based on two tables; an input routing table and an output routing table, each showing the routable nets and their associated interfaces.

ASA# sh asp table routing
in   	10.1.1.64   	255.255.255.192	Inside
out  	10.1.1.64   	255.255.255.192	Inside
in 	0.0.0.0		0.0.0.0			Outside
out 	0.0.0.0		0.0.0.0			via 10.1.1.254, Outside

And to finish off a quick look at the classify table. This table consists of multiple classifier domains which correspond to a specific rule action within the ASA, I.e. Inspection rules, filtering rules nat rules etc. Again check out the command reference for a list of the options.

Below is an example showing SMTP traffic is being inspected and allowed to the inside interface:

ASA# sh asp table classify domain inspect-smtp
Interface Inside:
in  id=0x1d43bbf0, priority=70, domain=inspect-smtp, deny=false
hits=89, user_data=0x1d1a18f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0

The documentation for ASP is minimal, the best way forward with this is get your head into the output and retain what you feel is useful.

So the next time your caught in a troubleshooting exercise check out the ASP output and see whether combining this with your debug, captures and logs, can assist in resolving your issues!!

–
Stuart Hare
CCIE #25616 (Security), CCSP, Microsoft MCP
Sr. Support Engineer – IPexpert, Inc.
URL: http://www.ipexpert.com