ASA 5500 SSL VPN Add Licenses to ASA

I recently had to enable some of my mobile Mac clients with Cisco AnyConnect VPN Client for Mac.  Then, of course since the ASA only included 2 SSL VPN licenses and that's what the AnyConnect VPN Client uses I had to purchase some additional licenses.  I purchased the licenses through a reseller & a couple days later they sent me a PDF listing the product (L-ASA-SSL-10= ASA 5500 SSL VPN 10 Premium User License) and a Product Authorization Key.

First, go to the Cisco Product Registration Page and login with your TAC credentials.  In the Product Authorization Key (PAK) field enter the Product Authorization Key from your PDF then click submit.

Next, follow the prompts and agree to their end user license agreement.  You will have to provide the ASA's serial number which can be obtained from the chassis or via show version from the CLI (this is probably the best method as you can copy the S/N from the CLI, then paste it to the authorization screen).

Now wait.

After submitting the required information and verifying other info you'll see the following message indicating that you'll have to wait up to one hour to receive an email with the xxx.  You'd think Cisco would be able to provide this info right away.  Guess not.

You'll be presented with the following helpful message to read while you wait...

Your license and user information will be sent via email within 1 hour to the email address you specified. If you have not received an email within 1 hour, please open a Service Request using the TAC Service Request Tool. Please have your valid Cisco.com user Id and password available. As an alternative, you may also call our main Technical Assistance Center at 800-553-2447.
Please be sure to check your Junk/Spam email folders for this email from licensing@cisco.com with your license key attached.

Fortunately only a few minutes later I received the email with the ASA activation key (which is 77 characters  long) and the following instructions.

Installing Your Cisco Adaptive Security Appliance Activation Key
Step 1.  From the command line interface (CLI), enter configuration mode using the "conf t" command.
Step 2.  Type the "activation-key" command, and then, when prompted, enter the new activation key listed above.

Which I promptly followed.  Now I have 10 licenses with which to connect my clients.  This by the way is a bit of a disappointment as I already had two.  I would have hoped Cisco would have preserved the two gratis WebVPN licenses and added my 10 new ones.  Not so luck.

Cisco AnyConnect VPN Client for Mac

Recently some of our mobile users needed to connect to one of our networks that's protected by a pair of Cisco ASA firewalls.  It was no problem for the Windows users as I already had what I needed in place, however it was a different story for our Mac users.  Since it had been a while since I setup the ASA for AnyConnect for Windows I'd forgotten everything that was needed so I ran into a little trouble.

First, I downloaded the latest AnyConnect VPN client for Mac's from Cisco (anyconnect-macosx-i386-2.5.3055-k9.dmg at the time of this writing), and installed it on a MacBook Pro.

Notes:

• Of course, you'll have to have a valid SmartNet agreement and account with Cisco to access these files.
• And, since the Cisco VPN client only runs on 32 bit Mac's, AnyConnect is the only option for 64 bit Mac's.

With the AnyConnect VPN Client installed on the Mac I launched it and tried to connect to my ASA.  Here's when I ran into my first problem, receiving the message,"The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again."

After a little research I realized I needed to upload the accompanying package (.pkg) file to the ASA.  So I headed back to Cisco to download the package file (anyconnect-macosx-i386-2.5.3055-k9.pkg - must match the version of the AnyConnect VPN Client on the Mac).

With that in hand I copied it to the ASA via TFTP, after, of course, dusting off my (FREE!) SolarWinds TFTP Server I haven't used for quite some time.  Here's the (Cisco) IOS command to copy the file via the terminal:

copy tftp:anyconnect-macosx-i386-2.5.3055-k9.pkg disk0:

Of course you'll have to provide the name/IP address of your TFTP server, which will conveniently be asked.

With that in place I tried again to connect.  However, I had the same problem, again receiving the message,"The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again."  WTF?

Oh, yeah, I had to register the Mac AnyConnect package with the ASA's IOS.  Since I already have the Windows AnyConnect package registered as #1, and since most who connect to my ASA are Windows clients I left that in the first position and registered the Mac package second with the following commands:

config terminal
webvpn
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2

Then, by running show webvpn svc I can see that both the Windows and Mac AnyConnect packages are registered with my ASA.  

And I can successfully connect my Mac clients.  Booyah!!!

Need help adding SSL VPN licenses to your ASA 5500?

Expanding a Virtual Disk on a Dell MD 3000i SAN - How To

If you're like me you don't allocate all disks to a SAN out of the gate.  I like to keep a little in reserve so I can add capacity when needed.  Then, once all the disks are added I'll usually pickup a couple more disks and keep those in reserve.  In either case once it comes time to add capacity to a virtual disk on a Dell MD 3000i SAN it can be a little tricky.

This will be accomplished in two steps.  First add the capacity of one or more physical disks to a disk group.  Next expand the virtual disk.  The first step is rather easy and done through the Modular Disk Storage Manager utility.  Step two is a little tricky as it uses the Dell smcli command line utility.

Step 1 - add one or more drives to a Disk Group

• Open the Dell Modular Disk Storage Manager utility
• Click the Modify tab
• Under the Storage subsection click Add Free Capacity (Physical Disks)
• Select your disk group, click next
• Select the capacity/number of disks, click finish

Now if you go back to the Summary tab and click Disk Groups & Virtual Disks you can see that you have free space available.

NOTE: This step can take some time to complete. Depending on the size and type of RAID you are running, it may take several hours or more (even days!) to complete. It will not take the disk group down, but may slow things a bit.  Also, this MUST complete before you can perform the next step!  If you jump the gun and run step two prematurely you'll receive the message, "Error 11 - The operation cannot complete because a virtual disk is performing a modification operation..."

Step 2- Expanding a Virtual Disk

• Decide how much space to add in Bytes.  You could use a calculator such as this or this bit calculator.
• On the computer running Dell Modular Disk Storage Manger, open a command prompt.
• Navigate to Program Files\Dell\MD Storage Manager\client OR Program Files (x86)\Dell\MD Storage Manager\client if you are on a 64 bit machine.
• Use the smcli command to expand the disk. Examples below.

smcli Syntax: smcli ArrayName -c "set virtualDisk ["virtualdiskname"] addCapacity=virtualdiskcapacityinbytes;"

Example smcli command - assumes the following:

• MD3000i named SAN1
• Virtual Disk named Disk1
• Want to add 500GB to virtual disk

smcli -n SAN1 -c "set virtualdisk [\"Data1\"] addCapacity=536870912000;"

While this expands the capacity of the SAN virtual disk the operating system may not automatically recognize it.  On Windows 2008 server perform the following:

• Open Server Manager 
• Go to Storage, Disk Management
• Right-click the desired Windows volume and select Expand Volume
• Follow the prompts in the Extend Volume Wizard

Cisco ASA ASDM Install and Download

A few months ago I got a new work computer.  Since it was a good opportunity to start fresh I didn't transfer all the programs from my old one to the new.  And one of them I neglected to transfer was ASDM.  I wasn't too worried about it since I often manage my ASA firewalls via the terminal using PuTTY.  But I had a need for ASDM recently so I downloaded it and ran it from my computer, but to my chagrin I received the message, "Unable to launch device manager from..."  Crap!

Since I couldn't remember exactly how to download ASDM from my ASA and it took me a bit to figure out.  And since I wanted to upgrade to the latest anyway, I thought I'd write myself a reminder here so in a year or two when I get a new computer I don't have to go through this same trouble again.  I hope others find it useful as well.

First, download the latest ASDM bin file from Cisco (you'll have to have a valid SmartNet contract to access the downloads section).  At the time of this writing the latest version is asdm-645.bin.

With that downloaded use something like TFTP to copy the file to the ASA.

config terminal
copy tftp: disk0:/asdm-645.bin

Next, register the ASDM bin with the ASA.

config terminal
asdm image flash:asdm-645.bin

NOTE: the ASDM version needs to be compatible with the IOS on the ASA.

Finally, access the ASA's admin interface with https://<LAN_interface_IP&rt;/admin.  NOTE: this has to be on the LAN interface, either from a computer running inside the ASA, or for an external computer connect via VPN, then access ASA's LAN interface.

Click the link, "Install ASDM Launcher and Run ASDM."  Follow the steps to install and connect to your ASA.

Steve Jobs 1955-2011

I'm no fan of Apple, but as a techie I have a profound respect for Steve Jobs and everything he's done for my industry, for computing in general and for consumer electronics.  Well done Steve!

Amazon ELB & IIS - Capturing Client IP Address

I've been using Amazon EC2's Elastic Load Balancer (ELB) for a couple years now to load balance web applications, and for the most part it's been great.  The one draw back I've run into is that IIS logs the load balancer's private IP address as the c-ip address, rather than the client's actual IP address.  Essentially the ELB acts like a NAT device.  This can be a problem when trying to troubleshoot requests to your IIS sites.  And is just plain annoying.

So I finally did a little digging on this and found a simple and elegant solution.  That is for IIS to log the IP address value of the X-Forwarded-For request header which ELB populates with the client IP address when it forwards the request to IIS.

Start by downloading the IIS X-Forward-For ISAPI Filter from F5 (click here for more information), and extracting the files.  There's a lot here, including source code, but all you need is the appropriate F5XForwardedFor.dll, either x86 (32 bit) or x64 (64 bit).  To make it easy I copied mine to the root of C:\inetpub, i.e. C:\inetpub\F5XForwardedFor2008\x64.

Next, open IIS Manager, highlighting the server name in the Connections pane.  In the <servername> Home pane double-click ISAPI Filters.  Then in the Actions pane (upper-right corner) select Add.  Give the filter a name (I used Xforward) and specify the exact location of the Executable (F5XForwardedFor.dll).

NOTE: by adding this at the server level it will apply to all sites on the server.

Click OK and you're done.  Now, sit back, relax and wait for your server logs to accumulate.  Here's a view of an IIS log after enabling the F5XForwardedFor ISAPI filter.

NOTE: After installing this ISAPI filter I did notice a slight CPU load increase on my IIS servers, around 1-2% more.  Basically my servers average between 10% - 30% under normal load, now they average about 12% - 32%.  Not much, but noticeable, but in my opinion worth the load.

Copying an EBS-backed Windows 2008 AMI Between AWS Regions - How-to

Unfortunately Amazon doesn't have an easy or native way to copy or move or launch an AWS AMI from one region to another.  There are a number of posts on the Internet about how to do this with a Linux AMI, but I haven't been able to find clear instructions on how to do this for a Windows AMI.  So, here we go...

The basic steps involve starting a temporary Windows instance in each of the two regions, say us-east-1 and us-west-1; attaching the EBS boot volume to the server in the "source" region; making an image or zip file of the volume; copying the volume to the temporary server in the "destination" region; extracting the file to a new volume; finally, attaching that volume to a server.

Notes:

• This will take a while (several hours), particularly if your AMI is large.
• Clean up the boot volume of the image you want to copy to another region by deleting any unnecessary files, such as temporary files, etc. as it will reduce the overall time this process takes.

1. Launch a temporary Windows instance in the “source” region and another one in the “target” region. (You may not have to launch temporary servers if you have one available in each that can handle the load of compressing a large volume which can be quite CPU intensive.  Additionally you need to have enough available disk space for the compressed volume to be stored temporarily.)
2. Determine the snapshot for the boot volume you want to migrate (you must own the AMI) using the command ec2-describe-images.
   
   
   
   
   
3. Create a new EBS volume from that snapshot in the same zone as your origin server.  This can be done many ways, but here's how to do it from the command line using the AWS tools:
   ec2-create-volume --snapshot <snap ID> -z us-east-1c
4. Attach that volume to your temporary server instance as, say, “xvdg”:
   ec2-attach-volume <volumeID> –i <instanceId> –d xvdg
    NOTE: You will be able to browse the contents of the volume in Windows Explorer.
   
   
5. Connect to your temporary source server with RDP.
6. Zip the entire contents of the newly attached volume.  NOTE: I used 7zip and sent the zipped file to another volume on the temporary source server in 1GB chunks (this makes it easier and quicker to transfer to the destination server; in particular you can begin copying the chunks soon as each is finished rather than waiting for one large file.)
7. Copy that zipped file (or files) to your instance in the “target” region.  This could be done by a variety of methods.  I chose to copy my 1GB chunks to an Amazon S3 bucket, then I could easily download those onto the destination server.
   
   In the target region:
   
   
8. Create an EBS volume of appropriate size (30GB for Windows 2008 by default) and attach it to your temporary destination server.
9. Unzip the file to the new volume.  Again, I used 7zip.
10. Detach the volume.
    
    Now, for the Windows specific stuff….
    
    
11. Launch a basic Windows 2008 instance of the right architecture (32 or 64 bit).
12. Soon as the instance is “running” (see Pinging Amazon EC2 Instances to determine exactly when your instance is available) stop it and wait for its state to become “stopped”.
13. Once it stops, detach its “/dev/sda1” volume and delete it using ec2 commands:
    ec2-detach-volume <the_volumeID_of_sda1> –i <new_windows_instance>
    ec2-delete-volume <the_volumeID_of_sda1>
    
14. Now attach the new volume (from steps 8-10) to the stopped Windows instance as ‘/dev/sda1’:
    ec2-attach-volume <vol_id> –i <windows_instance_id> –d /dev/sda1
    
15. Start the instance to make sure it boots, and connect to it with RDP.
16. When you’re satisfied that it boots and is setup the way you desire, stop the instance using ec2stop -i <instanceID>.
17. Finally, create an AMI from that server by running ec2-create-image -i <instanceID>.

That's it.  Now you have an AMI in a different AWS zone that is a copy of one from your initial zone.

How Can I Improve My Web Site's Search Results Ranking?

Tonight my friend contacted me and asked how she could get her store's new website to show up in search results.  While I don't claim to be an expert I do have a little experience with web sites, ecommerce, blogging and SEO (search engine optimization).  Here's a list of what I told her just shooting from the hip.

I told her it's definitely a multi-faceted approach.  First, her site looks good, is easy to navigate and has relevant information.  Without a decent place to start none of the rest of this will matter.

1. Start with a good site with good, relevant content.
2. Be patient. It takes time to rise to the top, or even to rise at all.
3. Get visitors. The more traffic your site gets naturally (sometimes called type-in traffic) the better it will rank in search results. Give the URL to all your customers. Print it on their receipt, on the merchandise bags, put a flyer in their bag. Put your sites address up in your stores. Outside the stores. Basically anywhere you can. Get your existing customers to go to the site.
4. Add content (merchandise and info) to your site often as possible.  Keep the site fresh. Use the island names (or your location) in product descriptions if/when possible. Basically you want the search words people would use to find what you offer throughout your site as much as possible.
5. Have your own blog and use it to make announcements about new products, etc.  This helps fulfill the previous suggestion. And post to it regularly. Again using key words.  And make sure it links back to your store.
6. Inbound links are invaluable, particularly from higher traffic sites. Post the link on facebook, twitter or anywhere you can. Try to get written up and linked in your local paper, citysearch, kudzu, places like that. Trade links with other sites where it makes sense, etc. Inbound links are the holy grail of high-ranking search results, and ultimately more site traffic.
7. Work your networks, get people going there, linking to it etc.
8. Use site analytics.  Make sure to enable some kind of site analytics (either from your hosting provider or Google Analytics or other) so you can monitor activity to your site over time; and track key words people used to find your site; and where they came from (search engines, inbound links, etc.).
9. While it's harder and harder these days to get good domain names it really helps if the site name is something that makes sense, is easy to remember.  It is also really important for it to match the name of your business.

Again, be patient.  It takes time to build traffic, especially search traffic and to get ranked higher in search results. While no one knows exactly the algorithms that Google and other search engines use it is no doubt a combination of the things listed above (and certainly more).  Build your traffic organically using the customers already interacting with you.  Make sure your site is easy to navigate, looks good and has lots of content, particularly the key words you believe people might use to find products or services you offer.

If you're ever in the Charleston, SC area go to Islands Mercantile on both Seabrook and Kiawah islands for some great T-shirts, hats and other souvenirs.

Google Maps Gone Bad

Trying to find a Quiznos and according to Google Maps there are two a couple miles apart, however their addresses are several states apart...  WTF Google?

How To Disable Google Instant

While I pretty much love (or at least strongly like) Google, there are a few features that I cannot stand.  Google Instant is one of them.  Google's autocomplete is a little annoying, albeit a bit entertaining at times; but Google Instant drives me crazy.  Every time I go to Google from a new computer (which is fairly regularly) I disable Google Instant.  Disabling it is easy, just go to Preferences (http://www.google.com/preferences), scroll down about half way and select Do not use Google Instant, then save your preferences.