Is it still worth getting a CCIE?
I’ve been thinking a lot lately about if I still want to pursue a CCIE. If so, which one? There are so many to choose from. Today I spoke to a wise, senior associate of mine and asked him about this question of mine. His advice was invaluable. His suggestion was to study for a CCIE in a speciality that interests you. Why? Because you need some really good motivation to keep working towards it on a constant basis. Excellent advice!
Although I have my CCNP in routing and switching, the CCIE that really interests me is CCIE Data Center. This is because it it contains many of the things that interest me and that I already work with on a day to day basis:
- storage
- switching
- routing
- virtualization
- security
Anyhow, I need to do more research about what the best way is to prepare for taking the CCIE written exam for datacenter. If you have any suggestions, please post them as comments to this article.
Speaking of articles, I also ran across this great one regarding whether or not it’s still worth trying to get the CCIE. If you read the article, make sure you take time to read the comments too. There’s some really good stuff there.
TFTP new software onto ASA from a TFTP server on other side of VPN tunnel.
If you need to TFTP new software (or any other file for that fact) onto a ASA from a TFTP server that is on the other side of a VPN tunnel, you will need to specify the source interface for the TFTP client to use.
The easiest way to do this, is to specify it inline with the copy command:
copy tftp://192.168.1.30/ASA/asa842-k8.bin;int=INSIDE-management disk0:/asa842-k8.bin
Where, 192.168.1.30 is the IP of the TFTP server. INSIDE-management should be replaced with whatever interface you want to use as source.
Ping inside interface of ASA accross a VPN tunnel.
Do you need to ping the inside interface of a ASA across a VPN tunnel?
Maybe you need to do this for monitoring purposes, or whatever.
Allow access of ICMP to the inside interface:
icmp permit host 192.168.1.10 inside
Monitoring station —> 192.168.1.10
Inside interface —> inside
Notes on ASA 8.3 NAT
Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.
This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:
https://supportforums.cisco.com/docs/DOC-12324
Here are some quick notes that I have gathered for my reference. Feel free to post any additional comments and notes you may have to share:
COMMANDS
show run objects
(Displays network and service objects that are in the running confg)
show run object id
(Displays a specific object)
show run nat
(Displays running config NAT configurations)
show nat
(Displays NAT policies and counters)
Use packet-tracer for testing NAT (and other things)
packet-tracer input inside tcp 10.0.0.40 4444 198.133.219.25 80
- Configure Auto-NAT:
object network inside subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic interface
Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.
-
Configure Twice(manual) NAT:
nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com
Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.
-
Exempt subnets from NAT because of VPN tunnel:
nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets
This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.
- General Notes:
ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.
With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.
Access console port on a Cisco Aironet 1200 Series
You need the following serial settings to access the console port on a Cisco Aitonet 1200 Series AP.
9600 baud
8N1
Hardware Flow Control = OFF
Software Flow Control = OFF
Tip:
If you can see output from the console, but your keystrokes are ignored; check the flow control settings.
Can’t SSH into ASA?
Something strange happened today when I went to SSH into my ASA cluster.
Upon running ssh I got this error message:
ssh_exchange_identification: Connection closed by remote host
I started Google searching for information on this error message and found some people writing that the error could be resolved by making some changes on the client. If you view the log on the ASA, you will see a error message that states:
Fail to establish SSH session because RSA host key retrieval failed.
This indicates that the problem is not with the client at all. Rather, the problem is with the server end, in this case, the ASA. The issues is that the ASA does not have a RSA host key.
Resolve this issue by running these commands below in the CLI. Remember that you can still run CLI commands from the ASDM. Launch the ASDM. Click on Tools. Click on Command Line Interface. Click on Multiple Line.
Commands to run:
conf t crypto key generate rsa modulus 2048 wr mem
Now you should be able to log in just fine.
See this link for more information on SSH configuration on the ASA:
Axelilly's Ponderings 