Hello All,

I spent a couple of hours tooling with FTP inspection on the ASA today. To be honest, prior to today, i didn’t know how exactly things worked. Anyways , after doing some study i now feel pretty confident about the technology , so i recorded a small video to share it with the rest of the ccie-sec community. Here it is!

Please feel free to contact me by either leaving comments to this post or sending me an email ( tacack at tacack dot com ). I’d really appreciate it if you could maybe point out some mistakes in my explanation/understanding.

Take care and have a great weekend!

TacACK

As the title says, i have 70 more days to go before the 2nd attempt. How am i feeling? To be honest, i’ve no clue! A part of me thinks that i can do it this time, but on the other hand i also worry about my chances of clearing . My main question being, “What am i doing different this time around to help me pass?”. I’ve thought about this for sometime now and here’s a brief overview.

I’m just going to keep up the same study plan that i had followed for my first attempt but i’m going to add a couple of extra features in there which i didn’t do the last time around :

• Go through the solutions. I can’t believe i messed this up the first time around and believe me when i tell you, even if you’ve got the answer, it always pays to look through the solutions
• Participate in forums. If you’ve gone through Kingsley’s interview ( previous blog-post ) , you must have realized how much forums can activate one’s thought process. I find it very helpful and i plan on continuing to participate in OSL and CLND
• Try and watch all the tutorial videos that i can find my hands on
• Finish the online bootcamp that i’ve ordered from INE
• Go through Yusuf’s book prior to the lab. This will prove invaluable in getting the OEQs right  ( Atleast that’s my belief )(and finally!)
• Go through all the configuration examples in the doc-cd.

After a 2 week forced break, i’m happy that i’m back to labbing. Although my brain’s kinda rusty at this point, i’m doing my best to keep it greased and running by labbing . I did the INE IOS-Firewall Vol1 lab yesterday and i’m going to do the IPX vol 2A lab today ( pure evil! ).

Also, i hope you’re all doing well and kicking some serious ccie-sec butt! Do let me know about your study techniques and i’d be glad to put them up here.

Cheers and have a wonderful day!
TacACK

Hello All,

In an earlier blogpost , i’ve explained the basics of L2TP . In this video, we’re going to be talking about L2TP over IPSec , which is a configuration task in the CCIE-Security Lab blueprint. I thought it would be better if i did a video rather than write about it.

So here it is.

I’d love to hear feedback on how you found the video and what things i could do to improve my technical/presentation skills.

Cheers,

TacACK

Hello All!

I’m working on an article ( for a change i’m taking time out to write this ) and i thought i’d share some great videos with you. These videos are not created by me, they are created by Brandon Carroll ( CCIE #23837 (security) ).

As you might already know, Brandon Carroll is an awesome instructor who worked for IPX and is now working for Ascolta Training. He runs a very informative blog and he regularly posts articles there and i find them very helpful.

Yesterday, i came across some videos on his blogsite which were very impressive. He shows us how to configure Anyconnect VPN on the ASA, using the ASDM. If you’re an ASDM fanboy, then this video is a must-watch! Even otherwise, i’d highly recommend watching this because you’re getting free lessons from Brandon who is very well known for his deep technical knowledge and excellent explanation skills. I’ve loved all the IPX videos that Brandon has done and i hope to meet him someday . So, here are the videos!

PART 1 -> http://globalconfig.net/2010/09/10/configuring-ssl-vpn-with-full-tunnel-access-on-cisco-asa-8-2/

PART 2 -> http://globalconfig.net/2010/09/13/configuring-ssl-vpn-with-full-tunnel-access-on-cisco-asa-8-2-part-2/

Again, many thanks to Brandon for posting such great material .

Cheers and Happy studying,

TacACK

Hello All,

I have a treat for you today. Well, to be honest , it’s more like a treat for myself , but i thought someone might find it useful too! It’s the NAT IOS order of operation . I’ve tried , tried and tried unsuccessfully to find the exact order of IOS Nat in the Doc-CD. So, this morning, i decided the only way i’m going to find it out is by labbing up a test-scenario where i could manually test out the order of IOS NAT. What better way to learn than by practice right?

Ok, as a foreword, the NAT order of operation on the ASA is fairly easy to find in the Doc-CD and it’s as follows :

NAT exemption

Static NAT, Static Policy NAT

Static PAT , Static Policy PAT

Policy NAT

Dynamic NAT

For the IOS , i found that the order is as follows :

Static NAT

Static PAT

Dynamic NAT using Access lists

Dynamic PAT using Access lists

Static NAT using Route-maps / Dynamic NAT using Route-maps .


• • If both Static NAT using route-maps and Dynamic NAT using route-maps is configured, then the precedence works as follows :
    • The ROUTE-MAP names are compared lexicographically. The NAT entry with a route-map which has a higher lexicographic value than the other is preferred.
    • If the ROUTE-MAPs are identical lexicographically, then Static NAT gets preference over Dynamic NAT
      

Static PAT using Route-maps /Dynamic PAT using Route-maps


• • Same as the previous point.
    

Again, if you feel i’ve erred somewhere, please feel free to point out the mistakes either in the comments section or by leaving a small message on the chatbox on the right-hand-bar.

I’m really happy i finally figured this out, because i can now know exactly how the NAT statements are processed in the IOS. Hope you find this helpful too!

Cheers,
TacACK