Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


copycat221 last won the day on June 27 2010

copycat221 had the most liked content!

Community Reputation

85 Excellent

About copycat221

  • Rank
    Advanced Member

Profile Information

  • Gender
  • Location
  • Interests
    Extra-Terrestrial stuff, Hacking, observing surrounding things and many more
  1. you can Register for trail period and access this book [Hidden Content]
  2. I really wanted to give a befitting reply but I have controlled myself since I don't want to create any panic among near LAB test-takers. There are three categories 1) One who passed the LAB 2) One who Failed the LAB 3) One who are been intentionally made to Fail My Statement on Cisco is for the 3rd category, First two Categories would never understand As they have not faced it. The 3rd Category will definitely understand What I mean.
  3. Yes Cisco can Screw-up your Lab and I stand by my words. I am not making anyone panic I am saying what I have experienced in my multiple lab attempts, so that people can mentally prepare their minds. by the way my signature is quit old and I am not able to update it as the site is not allowing to modify my own profile settings.
  4. No matter how much you learn or use these tricks, Cisco is always there to screw-up your lab. Its up to Cisco whether to pass you or not; Prepare your mind for this gambling.
  5. Round above solution to copy anyconnect profile file and PAC key file . if you are facing issues with ASDM and TFTP to copy *.xml or *.PAC file to copy *.xml file data use "more filename.xml" command to view the file data Create the file on the nearest router to ASA use these commands: like R1# -> privilege mode tclsh puts [open "flash:ccieprofile.xml" w+] { Past the copied content here ie .xml file data (or) .pac make sure for .pac files the file extension filename.pac } tclquit next make the router as tftp server: Use the tftp-server [device]:[filename] command in global configuration mode as follows: R1(config)#tftp-server flash:ccieprofile.xml now you can do tftp from ASA to the router and get the files from router instead of wasting time in troubleshooting the problematic TFTP LAB setup from Client PC HTH
  6. Tip anyconnect error: VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established. make sure <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> is configured in ccieprofile_client_profile.xml sometimes it even gives same trouble even after the config change in that case reboot device will resolve the issue especially the secondary device when active and connection doesn't happen some additional things and directories to try and check on windows anyconnect client machine: delete temp files in machine Run box type- "%temp%" directory to check : C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client
  7. found the issue once the below command is removed "aaa authentication http console LOCAL" it will change from: protocol as DTLS ciplher as RSA_AES_256_SHA1 TO protocol as IKEv2/Ipsec NAT-T ciplher as AES_256_SHA1 anyone have any explanations?
  8. I have simulated the same mentioned in your workbook, practiced multiple times of those practices' only once I saw IKEV2 /AES_256_SHA1 but rest of the times cipher comes as RSA_AES_256_SHA1. only change I made in config is instead of ISE I am using local user on ASA, 'ccie' user for asdm GUI access and 'cisco' as anyconnect user ASA pre-config: interface gig0/0 nameif outside security-level 0 ip address standby no shut ! interface gig0/1 nameif inside security-level 100 ip address standby no shut ! interface gig0/2 description LAN/STATE Failover Interface no shut ! interface gig0/3 nameif mgmt security-level 100 ip address standby no shut router eigrp 12 network no auto-summ int gig0/1 authentication mode eigrp 12 md5 authentication key eigrp 12 cisco key-id 1 failover lan unit primary failover lan interface FO gig0/2 failover link FO gig0/2 failover interface ip FO standby int gig0/2 no shut failover http server enable http outside <- outside interface because I am using asdm from client machine itself asdm image disk0:/asdm-7101.bin dns domain-lookup mgmt dns name-server crypto key generate rsa label cciekey modulus 2048 crypto ca trustpoint ccietrust enrollment self fqdn asa1.cisco.com subject-name CN=asa1.cisco.com keypair cciekey crypto ca enroll ccietrust noconfirm username ccie passw ccie pri 15 username cisco pass cisco access-list servers standard permit host access-list servers standard permit host ip local pool VPN-POOL mask for rest used asdm GUI to config profile file, tunnel, group-policy Even Though in group-policy I have vpn-tunnel-protocol ikev2 ssl-client Here is the xml file: <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="[Hidden Content]" xmlns:xsi="[Hidden Content]" xsi:schemaLocation="[Hidden Content] AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon> <AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>All</CertificateStore> <CertificateStoreOverride>false</CertificateStoreOverride> <ProxySettings>Native</ProxySettings> <AllowLocalProxyConnections>true</AllowLocalProxyConnections> <AuthenticationTimeout>12</AuthenticationTimeout> <AutoConnectonstart UserControllable="true">false</AutoConnectonstart> <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> <LocalLanAccess UserControllable="true">false</LocalLanAccess> <DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection> <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin> <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> <AutoReconnect UserControllable="false">true <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior> </AutoReconnect> <AutoUpdate UserControllable="false">true</AutoUpdate> <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> <AutomaticVPNPolicy>false</AutomaticVPNPolicy> <PPPExclusion UserControllable="false">Disable <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> </PPPExclusion> <EnableScripting UserControllable="false">false</EnableScripting> <EnableAutomaticServerSelection UserControllable="false">false <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> </EnableAutomaticServerSelection> <RetainVpnOnLogoff>false </RetainVpnOnLogoff> <AllowManualHostInput>true</AllowManualHostInput> </ClientInitialization> <ServerList> <HostEntry> <HostName>ASA1V</HostName> <HostAddress></HostAddress> <PrimaryProtocol>IPsec <StandardAuthenticationOnly>false</StandardAuthenticationOnly> </PrimaryProtocol> </HostEntry> </ServerList> </AnyConnectProfile> Post -config correction: ------------------------------------------------ no crypto ipsec ikev2 ipsec-proposal DES no crypto ipsec ikev2 ipsec-proposal 3DES no crypto ipsec ikev2 ipsec-proposal AES no crypto ipsec ikev2 ipsec-proposal AES192 no crypto ikev2 policy 10 no crypto ikev2 policy 20 no crypto ikev2 policy 30 no crypto ikev2 policy 40 let me know if you need any further information
  9. Why is that anyconnect client keeps showing protocol as RSA_AES_256_SHA1 instead of ipsec ikev2 ?
  10. @rahulkashyap access-list WEB-ACL webtype permit url [Hidden Content]* "/*" is missing in your document
  11. Hey anyone have any Idea ? I am not able to book any slot seems like all slots are booked for this year or something wrong with the portal ? India Location
  12. Anikettate150 Please share the ASA cluster eve-ng image Thanks
  • Create New...