Security on the Cisco CSS

Similar Messages

• Cisco CSS 11501 - High-Availabilty

  We have a single CSS 11501 and were thinking about just buying a new one and putting it online as the standby with statefull (hopefully) failover, but weren't sure that this would work.
  Does anyone know what is needed to create a high-availability Cisco CSS 11501 environment?
  Do you only need 2 CSS 11501 and then configure them with one being active and the other being in a standby mode, like a PIX?
  Is there a HA Cable that would need to be connected between the 2 CSS's?
  Thanks in Advanced.
  Joe

  Daniel,
  There is a new stateful failover mechanism for the Cisco CSS 11500.
  This description is a bit "salesy" I know, but it covers the question asked :-)
  The Cisco CSS 11500 delivers ASR—the industry's first stateful Layer 5 session redundancy feature that enables failover of important flows while maximizing performance. Some flows—such as a long-lived File Transfer Protocol (FTP) or a database session — may be mission critical, but many are not. Most solutions on the market today require all traffic—important or not—to be backed up from one box to another. If the majority of flows are not critical, then most of system performance is wasted on unnecessary back
  ups. With ASR, the Cisco CSS 11500 may be configured so critical flows are marked as replication worthy, whereas others do not need to be so marked. ASR focuses traffic management resources precisely where needed.
  Better yet, have a look at the following link focusing on the section on Stateless Redundancy.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/redndncy.htm
  Regards
  Pete..

• Cisco CSS ICS via DWDM

  We are currently splitting up a campus installation (2 datacenters with < 300m cable distance).
  One datacenter remains on the campus, the other one is moved to another part of the town, approx. 30km away.
  The two datacenters are interconnected using DWDM (don't have the exact specs at the moment, but I think we have got the equivalent of 16 duplexed 4Gb/s conenctions between the two data centers)
  So far we have been able to move most of the equipment (including several members of Oracle RAC clusters on Linux and OpenVMS, VPN server farms, ESX cluster members and similar services), but we do not seem to bei able to get the Cisco CSS ICS link up on the DWDM.
  Is there anything we can ask the DWDM provider to check, or is there no chance to get the ICS link up over DWDM?

  Hi Martin,
  I guess you are referring to ISC port, right?
  As per CSS documentation: You must connect the ISC ports directly to the two CSSs. You cannot use Layer 2 devices on the ISC links between the two CSSs. Also, the ISC links must be dedicated to passing only ISC traffic.
  For that reason I believe you need to reconsider your plan.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/ASR.html#wp1038263
  Best regards,
  Ahmad

• Link does not work for-End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4

  Link does not work for
  End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4
  How do we get Cisco to fix?
  see attachment

  Give it a couple of days - it looks like they just sent out the notification before the notice was published on the public page.
  Once the ACS 5.4 EoS/EoL notice is published you should see it linked from this page.

• Error "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed" - help !

  hi,
  I've tried to install AnyConnect Secure Mobility Client on my computer (Mac OS 10.6.8), I've never installed it before on this computer, however when I want to install  i got the message
  "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed"
  I would be thankful if anyone could help me with this problem !!!

  Would I be correct in assuming that you are trying to do a manual install of the AnyConnect client when you get this error? Have you ever used this MAC to connect to an ASA and to establish a VPN? If so it is quite likely that AnyConnect was installed in that on line session and does not require a manual install.
  HTH
  Rick

• Cisco CSS and ACE study guide

  Hi,
  Im ready to kick start Cisco CSS and ACE load balancers. I found that 642-972 DCASD and 642-975 DCASI are the relevant exams for that. But, they are expired now. And, I couldn't even find the old materials for those. Could you please anyone assist me in getting started with this?

  Hi Kanwal,
  Thanks for your reply. BTW, wasn't there any specific study guides for 642-972 DCASD and 642-975 DCASI from Cisco? The reason behind this question is, I want to go step by step starting from how load balancing works, the basics and terminologies of load balancing and its various options and operations etc. I have been working with Network Security and just stepping in to DC operations.

• How do I remove the certificat error everytime I try to access the Cisco Unified CM Administration web-page?

  Hi,
  Every time I want to have access to the Cisco Unified CM Console (System version: 7.0.1.11000-2), I use the https://10.10.x.x/ccmadmin/showHome.do homepage on my client computer, but when I open the page, I get a SSL certificate error, stating no trust to this webpage security certificate and if I those "continue to this page (not recommended)", I get access to the Cisco Unified CM Console web page.
  I have tried to add the https://IP-adress to secure web pages in Internet Explorer 7, but this to no avail, it does not help.
  How do I add this certificate to a trusted something, so I do not get this warning every time I open the page?
  Kind regards,
  Carl-Marius

  Hi Michael,
  It worked when I change the IP-address to the name that was written in the certificate, and imported the certificate to Internet Explorer.
  Thank you for your fast and very precise help!
  Kind regards,
  Carl-Marius

• Cisco css http keepalive is not working with GET command

  Dear all
  i have Cisco Css connected to Dell Server (via switch)
  Cisco CSS - 192.168.1.3 and Dell Server - 192.168.1.5
  Dell server is setup with windows 2009R2 and Apache HTTPD is version 2.2
  This server is dedicated to host multiple doamins with Apache lik
  www.abc.co.uk
  www.xyz.co.uk
  Now the clinet wants to setup the http keepalive  with specfic web page like /testpage.html  for all these domains. i have teseed with single URI. it is working the comamnds are
  config)# service serv1
  (config-service[serv1])# ip address 192.168.1.5
  (config-service[serv1])# keepalive type http
  (config-service[serv1])# keepalive method head    ( get i have not used due to hash mismatch with apche server, if i use GET it is not working)
  (config-service[serv1])# keepalive uri "/testpage.html"
  (config-service[serv1])# active
  It is working with single URI.  but how can i do the same thing for multiple doamins ?
  for multiple doamins do i need use script ? or can i use with commands ?
  if i need to use script the script is
  !no echo
  ! Filename: httptag-test
  ! Parameters: HostName WebPage HostTag
  ! Description:
  !       This script will connect to the remote host and do an HTTP
  !   GET method upon the web page that the user has asked for.
  !   This script also adds a host tag to the GET request.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !       2. Not receiving an HTTP status "200 OK"
  if ${ARGS}[#] "NEQ" "3"
          echo "Usage: httptag-test \'Hostname WebPage HostTag\'"
          exit script 1
  endbranch
  ! Defines:
  set HostName "${ARGS}[1]"
  set WebPage "${ARGS}[2]"
  set HostTag "${ARGS}[3]"
  ! Connect to the remote Host
  set EXIT_MSG "Connection Failure"
  socket connect host ${HostName} port 80 tcp
  ! Send the GET request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "GET ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Send the HEAD request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "HEAD ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Wait for a good status code
  set EXIT_MSG "Waitfor: Failed"
  socket waitfor ${SOCKET} "200 OK"
  no set EXIT_MSG
  socket disconnect ${SOCKET}sh w
  exit script 0
  in the script i have not used GET becasue, when CSS send GET request to apache it use hash, but apache is not able to respond with same hash and it shows that website is down. more information- click below url
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdKeepC.html#wp1139668
  (config-keepalive) method
  I have uploaded in CSS with httptag-test file and applied these commands
  service comp.brit.co.uk-80
    keepalive port 80
    ip address 192.168.1.5
    keepalive frequency 10
  keepalive maxfailure 2
  keepalive retryperiod 10
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.abc.co.uk
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.xyz.co.uk
  but this script is not working
  my question is:
  1.do i need use script only to setup http keepalvie with webpage for multiple domains ?
  2.with out using script is there any solution like CICSCO  CSS commands  to setup http uril for multiple domains which are on 1 singl server.
  please help me asap

  Hello Muhammad,
  If you wish to use multiple domains for a URI  keep-alive check, and perform a HEAD request what Daniel mentioned is  correct.  You have to use a scripted keep-alive check on the service.  However, you should not use the default "ap-kal-httptag" script to do so  as it's limited to only 1 website (unless you modify the script).  You're best bet would be using the "ap-kal-httplist" script on the CSS  as it allows the checking of 2 different websites along with a webpage  to check for each site using HTTP HEAD method.
  !no echo
  ! Filename: ap-kal-httplist
  ! Parameters: Site1 WebPage1 Site2 WebPage2 [...]
  ! Description:
  !    This script will connect a list of sites/webpage pairs.  The
  !   user must simply supply the site, and then the webpage and
  !   we'll attempt to do an HTTP HEAD on that page.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !   2. Not receiving a status code 200 on the HEAD request on any
  !      one site.  If one fails, the script fails.
  ! Make sure the user has a qualified number of arguments
  if ${ARGS}[#] "LT" "2"
          echo "Usage: ap-kal-httplist \'WebSite1 WebPage1 WebSite2 WebPage2 ...'"
          exit script 1
  endbranch
  while ${ARGS}[#] "GT" "0"
          set Site "${ARGS}[1]"
      var-shift ARGS
      if ${ARGS}[#] "==" "0"
          set EXIT_MSG "Parameter mismatch: hostname present but webpage was not"
          exit script 1
      endbranch
      set Page "${ARGS}[1]"
      var-shift ARGS
      no set EXIT_MSG
      function HeadUrl call "${Site} ${Page}"
  endbranch
  exit script 0
  function HeadUrl begin
  ! Connect to the remote Host
  set EXIT_MSG "Connect: Failed to connect to ${ARGS}[1]"
  socket connect host ${ARGS}[1] port 80 tcp 2000
  ! Send the head request
  set EXIT_MSG "Send: Failed to send to ${ARGS}[1]"
  socket send ${SOCKET} "HEAD ${ARGS}[2] HTTP/1.0\n\n"
  ! Wait for the status code 200 to be given to us
  set EXIT_MSG "Waitfor: Failed to wait for '200' on ${ARGS}[1]"
  socket waitfor ${SOCKET} " 200 " 2000
  no set EXIT_MSG
  socket disconnect ${SOCKET}
  function HeadUrl end
  Rather  then modify the default "ap-kal-httplist" script on the CSS I would  simply define the arguments within the service configuration itself.   Something like the following (using your service example):
  service dell-192.168.1.5
  ip address 192.168.1.5
  keepalive type script ap-kal-httplist "www.abc.co.uk /testpage.html www.xyz.co.uk /testpage.html"
  active
  As  long as the server is configured to reply to host headers, and the page  is configured to retuen a "200 OK" the above service configuration  should work. If there are any errors simply run "show service  " to view why there was a failure. If there is a  failure, and the output from the command specified shows a line number  run the following command against the script to view at what point  (line) did the failure occur:
  show script ap-kal-httplist line-numbers
  Hope this helps!
  - Jason Espino

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• Ask the Cisco VIP: Troubleshooting SIP in Cisco Unified communications

  Troubleshooting SIP in Cisco Unified communications deployments with Cisco VIP Ayodeji Okanlawon
  This is a Q&A Ask the Expert Session continuation from the Live Webcast
  Ask your questions on Session Initiation Protocol (SIP) and how it is redefining our UC world.The Session Initiation Protocol (SIP) is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks.
  Featured Expert
  Ayodeji Okanlawon, a Cisco Designated VIP, is the Lead Consultant Engineer for Global Solutions Design and Engineering at Verizon Business. In his past, he has worked at Intact IS, NCS Global, and Schlumberger Information Solutions. His experience includes development of design and deployment of large scale IP telephony projects on Cisco Call Manager platforms, Cisco Voice gateways, Cisco Jabber cloud and on premise solution. His expertise includes SIP solutions, CUBE design and Deployment, Troubleshooting: Voice gateways, CUCM, Unity connection, CUPS. Deji has been awarded the Cisco Designated VIP in 2013 and 2014. Deji holds a Bachelor of Science (BS), Electrical and Electronics Engineering, Second Class Upper from Obafemi Awolowo University.  
  According to Deji, “If you want to advance your career, if you’re serious about your skill sets, you’ve got to be in the forums.”  (Read the Interview >>)
  We look forward to your participation. This event is open to all, including partners.
  * * Remember to use the rating system to let Deji know if you have received an adequate response. * *
  Deji might not be able to answer each question due to the high volume expected during this event. This event runs January 13 through January 23, 2015.  Visit this forum often to view responses to your questions and the questions of other community members.

  Derrick,
  RFC 3261defines ways to provide increased security for a SIP session.
  The following describes areas in SIP that provides security for the protocol
  1. Authenticating users.
  We need to authenticate a user to ensure that the sender of the message is who he claims to be.
  To achieve this SIP uses digest authentication between a UAC, proxy and a UAS. This provides the most basic level of authentication challenge between a client, proxy and a server.
  2. Secure SIP signalling
  The next area we can secure is SIP signalling itself. For this we use SSL/TLS. This is similar to using https in web browsers. With TLS before our any signalling is exchange X.509 certificates are used create a secure TLS channel. All our SIP messages are then transported within the secure channel.
  NB: The digest authentication mentioned above for authenticating a user agent is just authentication. The messages are not protected from reading or modification hence it is recommended that these messages are carried inside a secure TLS channel for better security.
  3. Privacy and Identification
  Additional security features in SIP provides means where any user can choose to either reveal or conceal his identity.
  4.Secure RTP
  SIP also provides the ability to secure the media channel. It is not enough to secure signalling while anyone can listen to the media. RFC3830 discusses how the encryption should be done.
  5. S/MIME
  S/MIME encapsulation is used to protect sip headers making it impossible for any one in between the sender and receiver to modify the sip headers
  Regards

• Mac-Address Locking on ML-1000 for the Cisco 15454

  Does anyone know if you can do mac-address locking on the ML-1000 card on the Cisco 15454. I would like to enter the command "mac-address-table secure", but it does not look like it is possible to do this.
  Thanks,
  Eric

  The command is not supported on the ML-1000 card.

• Implementing two cisco CSS 11154's in an ISP environment.

  Hi All,
  My boss has asked me to implement CSS11154's as redundant loadbalancers in our network. We are an ISP that hosts client machines.
  My initial plan is as follows:
  A quick example:
  clientA has 3 webservers
  clientB has 2 webservers
  Both clients want to loadbalance http traffic on their webservers.
  webserverA1 webserverA2 and webserverA3 are connected to switchA
  webserverB1 and webserverB2 are connected to switchB
  switchA is connected to ethernet port1 on a CSS11154
  switchB is connected to ethernet port2 on a CSS11154
  The CSS balances traffic addressed to VIP-A over IPADDR-A1, IPADDR-A2 and IPADDR-A3
  The CSS balances traffic addressed to VIP-B over IPADDR-B1 and IPADDR-B2
  this example is without the second CSS.
  Then there is the with / without firewall part.:
  I can create 2 vlans with the following config:
  vlan1 ethernet port 1, 2, 3, 4, 5, 6 and 13
  vlan2 ethernet port 7. 8. 9. 10. 11. 12 and 14
  port 13 (Gigabit) is connected to our core-switch so clients connected to port 1 through 6 can loadbalance with an direct internet connection
  port 14 (Gigabit) is connected to a switch behing a pix firewall..
  This is all possible right?
  The there is the redundancy part..
  How do I get backup CSS to communicate with the active primary? is it possible through the management interface?
  Could anyone tell me if this is a good setup, end if there are caveats in this plan.
  Also maybe other things I must look at (software version etc)
  Thanks in advance...
  Bastiaan
  ps I know I have to read more of the documentation before I start this, but this idesign plan is for presentation to my boss.

  Hi,
  Please see my answers inline begining with >>>>
  Please be aware I can only give you conceptual information due to the lack of specifics.
  clientA has 3 webservers
  clientB has 2 webservers
  Both clients want to loadbalance http traffic on their webservers.
  webserverA1 webserverA2 and webserverA3 are connected to switchA
  webserverB1 and webserverB2 are connected to switchB
  switchA is connected to ethernet port1 on a CSS11154
  switchB is connected to ethernet port2 on a CSS11154
  >>>>No Problem
  The CSS balances traffic addressed to VIP-A over IPADDR-A1, IPADDR-A2 and IPADDR-A3
  The CSS balances traffic addressed to VIP-B over IPADDR-B1 and IPADDR-B2
  this example is without the second CSS.
  >>>>No Problem
  Then there is the with / without firewall part.:
  I can create 2 vlans with the following config:
  vlan1 ethernet port 1, 2, 3, 4, 5, 6 and 13
  vlan2 ethernet port 7. 8. 9. 10. 11. 12 and 14
  port 13 (Gigabit) is connected to our core-switch so clients connected to port 1 through 6 can loadbalance with an direct internet connection
  port 14 (Gigabit) is connected to a switch behing a pix firewall..
  This is all possible right?
  >>>> Cant see any problem
  The there is the redundancy part..
  How do I get backup CSS to communicate with the active primary? is it possible through the management interface?
  >>>>No not a good idea. From what you have here it is better to use vip and interface redundancy. This uses a vrrp protocol which runs across the uplinks and downlinks . The 2 CSS need to be on the same layer 2 segment and does not require a dedicated interface. It also give you the ability to run in an active active state. Client A can be active on CSS A and Client B can be active on CSS B. If one of the switches fail then the other switch will take over for all services. One downfall of this is that you need to make sure one CSS can handle all the load in case of a failure.
  I will send you a doco seperately that you can have a look at the redundancy methods.
  Could anyone tell me if this is a good setup, end if there are caveats in this plan.
  Also maybe other things I must look at (software version etc)
  >>>Latest 5.00 train on CCO is a good choice.
  Cheers
  Phil
  Cisco Systems

• Cannot establish multiple simultaneous PPTP connections with the CISCO 1841.

  Hello everyone;
  I have recently tested a PPTP connection with a CISCO 1841 router and got success. I have configured a windows 7 client and successfully connected to the router and was able to access the documents in the server PC that I have mentioned in the attached diagram. I have created number of different users  in the CISCO 1841 too. While some one is having a connection, another user cannot connect to it, which means multiple simultaneous connections aren't possible. Do I have to create a ACL for the PPTP and if yes, How ? 
   FastEthernet0/0 is up, line protocol is up
    Internet address is 192.168.100.1/25
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
    Helper address is not set
    Directed broadcast forwarding is disabled
    Outgoing access list is not set
    Inbound  access list is 100
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  BGP Policy Mapping is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  Inbound inspection rule is SDM_LOW
  --------------------------------------------------------------------------------------------ACL 100-----------------------------
  deny icmp any any echo-reply
  deny ip host 255.255.255.255 any
  deny ip 127.0.0.0 0.255.255.255 any
  deny ip host 66.163.169.186 any
  permit ip any any (122467027 matches)

  As long as you have the inspection engine enabled on the ASA, it shouldn't freak out of the different IP as it will inspect the call signalling and will NAT it accordingly, BUT, for simplicity, I agree with you, it would cause a lot of troubleshooting headache if there is problem as well as reconfiguration of IP on the host ends.
  Here is the NAT FYI:
  object network obj-10.10.96.0
     subnet 10.10.96.0 255.255.255.0
  object network obj-192.168.96.0
     subnet 192.168.96.0 255.255.255.0
  object network obj-10.10.14.0
     subnet 10.10.14.0 255.255.255.0
  object network obj-10.1.0.0
     subnet 10.1.0.0 255.255.255.0
  object network obj-192.168.1.0
     subnet 192.168.1.0 255.255.255.0
  object network obj-10.10.11.0
     subnet 10.10.11.0 255.255.255.0
  object network obj-192.168.11.0
     subnet 192.168.11.0 255.255.255.0
  nat (inside,outside) source static obj-10.10.96.0 obj-192.168.96.0 destination static obj-10.10.14.0 obj-10.10.14.0
  nat (inside,outside) source static obj-10.1.0.0 obj-192.168.1.0 destination static obj-10.10.14.0 obj-10.10.14.0
  nat (inside,outside) source static obj-10.10.11.0 obj-192.168.11.0 destination static obj-10.10.14.0 obj-10.10.14.0

• An error when trying to connect with the Cisco AnyConnect.

  Good day!
  I connect from Windows 7 (also from Ubuntu) with the Cisco AnyConnect client 3.0 (and with Cisco AnyConnect Secure Mobility Client 3.1) and  get error a “The VPN client was unable to successfully verify the IP  forwarding table modifications. A VPN connection will not be  established.   No changes had been made to the  configuration  of my  asa5520 running 8.4(2) (ASDM 6.4(5)).
  I have license  (AnyConnect Premium Perpetual) supports 2  vpn connections.
  I read about this problem on different forums and cisco.com:
  disabled unused adapters, check install software (Adobe photoshop and Bonjour are not installed on my system).
  I made new configuration AnyConnect  in ASDM. But the problem remains the same...
  Please, help me find the way to solution in this situation!

  I have seen that error before but it usually clears up on its own.  I have a working theory though so perhaps this might help you.  I noticed that once you connect, 2 files are created in C:\ProgramData\Cisco\Cisco AnyConnect VPN Client.  I think that folder is different if using v3.x instead of 2.5.  Anyway, the files are routechangesv4.bin and routechangesv6.bin.  Try deleting each and then rebooting.  Try connecting again after that.
  My theory is that those files are not clearing up after disconnecting.  I think they are supposed to go away after disconnecting but I noticed in some cases that they don't.

• Nortel Alteon rules conversion to Cisco CSS

  We currently have some servers that are being load serviced by an Alteon content switch. The rules were not written or are supported by our group. We have a printout of the config but it is a bear to translate. Are there any tools to translate the config to Cisco CSS style?
  Thanks,
  John

  John,
  There are no tools to translate Alteon to Cisco CSS. For long configs, it can be a tedious process.
  I have seen in the past tools to convert configs from one Cisco load balancer to another type, but never for conversion of configs between vendors.
  -Steve