Cisco CCNP Security 300-730 SVPN – Extra

  • By
  • January 25, 2023
0 Comment

1. High availability

Clientless SSL high availability or ha? So we are going to go and go over Active Standby Clustering and Low balancing for the clientless SSL VPN connection. And you can achieve two types of Failover configuration with the ASA you can either do an Active or an Active Standby. When you do Active Active, it only allows you for a much greater percentage of available resources for deployment. However, when you configure an Active configuration, it does not provide any support of any type of VPN deployment because the ASA needs to run in multiple context mode. So not for the time it’s been looking at this option anymore, because Inactive Active you cannot do any VPN client list SSL, any Connect or anything like that. And that’s why we moved to the Standby. When you do an Active Standby, the Isa Firewall device is active and passing inspecting traffic while the other is on standby. And what happened is that whenever it’s on Standby, it is monitoring the state of the other interface until the time comes when it must take an Active role. So if your active interface goes down, what happens is that the interface on standby, it takes over the active role and the one that was active before it goes into Standby, or if it is down, we don’t know what happens to it.

But that’s what happens when you do an Active and Standby. And we also have two states, which is Stateful and Stateless. And on the Stateful configuration it allows existing VPN sessions and tones to step up when a failover has occurred and the connection clients and sites are now entering through the previous Standby device. The current connection states are synchronized between devices across a dedicated stateful connection between the two ASAS or by using the existing Failover interfaces. The following client list SSL the following client SSL VPN objects are not supported with a state full Failover, so it doesn’t pass more tones, it doesn’t support portfolio in, and it doesn’t support plugins, Java applets, IPV six line list or IPV six any connect session either. And for the last one is that it doesn’t support Citrix authentication. So if that active interface goes down on a Stay Full configuration when the Standby becomes active, it doesn’t support this VPN objects like Smart Tones, portfolio and Plugins Java IPO Six and Citrix authentication. So what stateless means stateless configuration supports High Availability in as much as during Flor.

The Standby device assumes the active role, it does not support any stateful behavior, meaning all stations and connection have to be reestablished after fillover has occurred. So different is between whenever you configure or whenever you have a stateful and stateless and stateful, all your previous connections are synchronized, right? So other connections that you have to the ASA. So if you have any Connect session, any Connect session when you have a stateful configuration, it’s going to synchronize with the other interface whenever it goes from Standby to active but in stateless if you have a connection you have to reconnect to the firewall again. So that’s the difference between stateful and stateless. And we also have another high availability option which is VPN low balancing or clustering. And it is a stateless configuration. And with clustering you can take advantage of the performance and ha benefits gained by having multiple devices share the load balancing between them. So what happens is when you’re doing a VPN low balancing is the same thing as doing an Active.

And the overall operation depends on one of the ASA devices becoming a master, which is the one responsible for configuration, synchronization, and sending new remote client session to the latest to the least load devices. So if you have multiple devices, what happened is if there’s like six connections going at the same time, it’s going to send three connections to one firewall and three other connections to another firewall. And you can do SA Clustering or VPN low balancing. It can be used to divide remote clients that sell VPN sessions between our ASA devices without the need for duplicate hardware, software or a low balancer which is sent ace. So you don’t need to have an Ace or another software or application running on your network. What you could do is you can combine all your firewalls and do VPN load balancing without the need of a hardware like Ace. Okay? And this is how you have an Ace. So this is when you do an external load balancing and external load balancing. The difference between an external load balancing and the VPN low balancing or clustering is that the external load balancing uses a device ace right here. And the clustering does not use that device.

Like I said right here, it does not use that other device. But if you want to do an external load balancing, what you could do is you can have an Ace device right here and just sends traffic to different firewalls or to different ASA. So let’s say that we have like nine connections. What it’s going to do is it’s going to send three connections over here, three connections over here, and three connections over here. Therefore what it’s doing is it is just doing low balancing. And you can also do a redundant VPN appearance and both the IPsec VPN client and Any Connect client allow for multiple VPN server or ASA addresses to be configured. In the event of the primary ASA failing, the clients try to reconnect to the next available address in the list of configure addresses. So if you are using the any connect and you are trying to connect to 21 to one and if that one goes down, what you could do is you can connect to another peer.

So if we have like three firewalls, 21 to 120, the that one, one to two and 21 to three, what happened is that if 21 is not available, you can just go ahead and connect to 21 two. And if 21 the two is not available, then you can just go ahead and connect to the auto firewall, which is 21 three. And that’s how the redundant VPN appearing works. And this is set for this video on the client list. The client list, let’s go ahead and go back to this was for the client to sell high availability and how active standby clustering low balancing and using an external hardware like Ace works. And also we went over what a staple and a stateless configuration is Stayful, it maintains your connection whenever an interface goes down and the standby needs to become active. So in stateful it maintains that connection. But when you’re using a playlist, you have to end your connection and then reconnect again. So they say for this video, guys. Hope you guys enjoy.

2. Active Failover configuration

Clientless SSL high availability or ha? So we are going to go and go over Active Standby Clustering and Low Balancing for the clientless SSL VPN connection and you can achieve two types of failover configuration with the ASA you can either do an Active or an Active Standby. When you do Active, it only allows you for a much greater percentage of available resources for deployment. However, when you configure an Active configuration, it does not provide any support of any type of VPN deployment because the ASA needs to run in multiple context mode. So no further time spin looking at this option anymore because Inactive Active you cannot do any VPN clientless SSL, any Connect or anything like that. And that’s why we moved to the Standby. When you do an Active Standby, the Isa Firewall device is active and passing inspecting traffic while the other is on standby. And what happened is that whenever it’s on standby, it is monitoring the state of the other interface until the time comes when it must take an active role. So if your active interface goes down, what happens is that the interface on standby, it takes over the active role and the one that was active before it goes into a standby, or if it is down, we don’t know what happens to it. But that’s what happens when you do an Active and Standby. And we also have two states, which is Stateful and Stateless.

And on the state for configuration, it allows existing VPN sessions and tones to stay up when a failover has occurred and the connection clients and sites are now entering through the previous Standby device. The current connection states are synchronized between devices across a dedicated stateful connection between the two ASAS or by using the existing fellow interfaces. The following client list SSL the following client SSL VPN objects are not supported with a stateful Failover so you cannot have it doesn’t pass Smart Tones, it doesn’t support Portfolio and it doesn’t support Plugins Java Applets IPV Six lines or IPV Six, any Connect session either. And for the last one is that it doesn’t support Citrix authentication. So if that active interface goes down on a Stay Full configuration when the Standby becomes active, it doesn’t support this VPN objects like Smart Tones, portfolio and Plugins Java IPB Six and Citrix authentication it’s slightly. So what Stateless means stateless is configuration supports High Availability in as much as during failover.

The Standby device assumes the active role, it does not support any stateful behavior, meaning all stations and connection have to be reestablished after fillover has occurred. So the difference is between whenever you configure or whenever you have a Stateful and Stateless and Stateful all your previous connections are synchronized, right? So other connections that you have to the ASA. So if you have any Connect session, any Connect session when you have a Staple configuration, it’s going to synchronize with the other interface whenever it goes from standby to Active. But in stateless if you have a connection, you have to reconnect to the firewall again. So that’s the difference between stateful and stateless. And we also have another high availability option which is VPN low balancing or clustering. And it is a stateless configuration.

And with clustering you can take advantage of the performance and ha benefits gained by having multiple devices share the low balancing between them. So what happens is when you’re doing a VPN low balancing is the same thing as doing an Active Active. And the overall operation depends on one of the ASA devices becoming a master, which is the one responsible for configuration, synchronization, and sending new remote client session to the latest to the least load devices. So if we have multiple devices, what happened is if there’s like six connections going at the same time, it’s going to send three connections to one firewall and three other connections to another firewall. And you can do a clustering or VPN low balancing. It can be used to divide remote clients that sell VPN sessions between our ASA devices without the need for duplicate hardware, software or a low balancer, which is saying Ace. So you don’t need to have an Ace or another software or application running on your network.

What you could do is you just can combine all your firewalls and do VPN load balancing without the need of a hardware like Ace. Okay? And this is how you have an Ace. So this is when you do an external load balancing. An external load balancing. The difference between an external load balancing and the VPN low balancing or clustering is that the external load balancing uses a device Ace right here. And the clustering does not use that device. Like I said right here, it does not use that other device. But if you want to do an external load balancing, what you could do is you can have an Ace device right here and just sends traffic to different firewalls or to different ASA. Let’s say that we have like nine connections. What it’s going to do is it’s going to send three connections over here, three connections over here, and three connections over here. Therefore what it’s doing is it is just doing low balancing. And you can also do a redundant VPN appearance. And both the IPsec VPN client and the Any Connect client allow for multiple VPN server or ASA addresses to be configured. In the event of the primary ASA failing, the clients try to reconnect to the next available address in their list of configure addresses.

So if you are using the Any Connect and you are trying to connect to 21 and if that one goes down, what you could do is you can connect to another peer. So if we have like three firewalls, 20, that one to 120, the one, that one, the two and 20, that one to three. What happened is that if 21 is not available, you can just go ahead and connect to 21 to two. And if 21, that one, the two is not available, then you can just go ahead and connect to the auto firewall, which is 21 or three. And that’s how the redundant VPN appearing works. And this is it for this video on the client list. The client list, let’s go ahead and go back to this was for the client to sell high availability and how active standby clustering low balancing and using an external hardware like Ace works. And also we went over what a stateful and stateless configuration is. Stayful, it maintains your connection whenever an interface goes down and the standby needs to become active. So in stateful it maintains that connection. But when you use an externalist, you have to end your connection and then reconnect again. So that’s it for this video, guys. Hope you guys enjoy it. And if you guys enjoy this video.

3. High Availability in Clientless SSL VPN

Hello, guys. Welcome to a new video. And in this video, we are going to be configuring high availability. And this is for the CCMP security si MoS. And we are going to be configuring a high availability. And it’s going to be an active and standby fellow. And what’s going to happen is I’m going to be configuring a fellow interface on gigabit zero. Zero. They’re both connected on gigabit Zero and the fill over. What’s going to do is it’s going to send all the configuration of the active ASA to the standby, to the standby firewall right here. Right? So any configuration that is on the on the Active interface is going to go into the standby firewall and for the Stayful, which is gigabyte one on the Stayful what happened is that any traffic that is actively connected to the active firewall or ASA right here is going to send it to the standby. So in case of a failover over the active firewall and the standby needs to step in it’s going to have all the traffic and other traffic is going to continue we know without interruption and that’s how High Availability comes in. So let’s go ahead and configure that we need to go into the ASM of the Active firewall. Let’s go ahead and close this right here.

Don’t save yes exit. So let’s go ahead and go into the asvm launcher and we’re going to point it to three one, which is the IP address of that management interface that I have configured and let’s go ahead and move this over here so you guys can see everything I’m doing. So I’m now on the ASM for the active firewall. So we are going to do some configurations, we want to do some interface settings that’s going to interface and the gigabytes there like I said, is going to be the failover interface and the failover interface is going to send all the configuration to the standby. Also all the current configuration on the Active is going to be on the standby and the stateful is going to be all the traffic. So we’re not going to name this, we just want to enable it. Let’s go and enable this one as well and let’s go ahead and configure kigo two, which is the one pointing to this switch and this one is going to be inside enable it. This one is going to be 1010 one enable it, apply it good.

So now let’s go ahead into device Management and we want to do a High Availability and it’s scalability and we’re going to configure fill over, we’re going to enable it. The key that we want to do over here is going to be the key of Active. This filler is going to be IP address for this one. It’s going to be two five five and the logical name we’re going to say F one standby IP one two enable http replication let’s go and go into Gigabit zero one. This one is going to be for the state failover which is the stateful. This one’s going to be two one four. Let’s call this F two standby is going to configure on the standby firewall. Okay apply it to a basic follower configuration exchange configure the device perk provide the IP address of the peer to which ASM may connect. We are not going to do any ASDM for right now and let’s go ahead and reapply it. The standby IP address for this one is going to be 1010 two which is this one right here criteria although that is good, just going to apply it and save it.

So what we want to do is after we apply it we’re going to go ahead and save it. So now we want to go into that standby. As you can see we have no active mate detected so let’s go ahead and go into this config t and what we want to do is we want to do a fill over lane interface. Let’s just call this F one gigabit. After that let’s do a fill over interface IPF one secondary standby right and then after that what you’re are going to be configuring standby. Actually before we do that let’s go ahead and go into interface and let’s just say no IP address exit and let’s go ahead and do spellover interface IPF one 50 secondary or not secondary standby.

Keep saying secondary standby one to one two and after that is done we’re going to do fellow key Cisco, fellow lane this unit is going to be the secondary and then fell over to just turn it on. Let’s see what happens. It has detective and active mate. It is beginning that replication from the mate. So what’s going to happen all the configuration from the active firewall is going to go to the standby so even this active host name is going to be configuring to this firewall over here. And there we go. As you can see now the standby that used to be standby if you remember right here the host name was Standby but since all the configuration from the active was sent to the standby now this one also became the active. So if we come over here and if we change the host name of active to active one, that’s going to be sent over here. And as you can see, this one also became active one, just the same as this one right here that became active one. And if you want to change the host name again to active two, that’s going to be sent over here has active two.

So everything that I’m configuring over here is going into the standby. So if we do end show interface brief or show interface IP brief you can see that we have ten attendant two which was the method that was configured was via the config which means that it was sent by the active router. Well by the active ASA. So if I go into the ASM and let’s configure another interface. So let’s go ahead and do device set up. Let’s go ahead and configure this one over here and let’s say that this one interface is just called outside and this outside is going to have a level of zero. We’re going to enable it. Let’s just say that it’s going to be 21 124 and let’s go to enable that bad boy. Yes, outside. So let’s go ahead and do device management to go and apply the changes before we do that and then we’re going to go into the interfaces. So over here, 21, I want the standby to be 21 two and let’s go ahead and apply that and save it. So now as you can see the standby got some more configuration.

So now if we do again show interface IP brief, you can see that gigabit three do not get 21 because we configure this one as standby. We configure this standby IP address and the standby address is 21 two. So that’s how you configure the High Availability and the High Availability that we just configured was the High Availability and we also did the active standby failover with stateful configuration. Okay? And what that means is that whenever we configure the active standby it’s going to support VPN because if we configure the active failover it does not support any VPN content. So we don’t want to do that. We want to have VPN, VPN, which active standby does support VPN and we did the State full configuration and Stateful configuration allows existing VPN sessions and tones to stay up even when a failover has occurred when connecting to the clients and sites that are now entering the previous standby device. Also if you want to see the standby router going to active, what you can do, we can go into monitoring, let’s go into properties and let’s go ahead into spell over. Let me go to status and we want to make this standby. So we are going to make the active standby.

Let’s go ahead and click over here and there we go. And as you can see, let’s give it a couple of seconds. You can see that this house is the primary and it is on standby right now and the secondary one is active. So if you go ahead and go over here and do show fell over, you’re going to see that the secondary is active one and the secondary is this ASA two. Okay? And also this one seems like it froze. Let’s go ahead and try to make it active back again. Let’s see if we do a show fill over. Still saying that the secondary is active so we are unable to communicate with the ASCM. Let’s go ahead and close this save my configuration. Let’s go ahead and just close this right here. Let’s go and try to connect to the ASM again, see if that works. It looks like it’s not going to work because this one is now on standby.

So the active one is now on standby. So for us to connect, we have to connect with this other standby over here, which is active. So if we delete this one right here and we delete this one right here, and we want to connect to this new firewall, which now is the active firewall management, connect to it. Let’s see if it’s going to let us connect to it. Let’s bring up that ASTM. Let’s see what is the three dot. One still. Let’s connect to three, two. It looks like it is not working. So let’s go ahead and do the standby and see what’s going on. So interface IP brief. The management was configure via the config. So three, three, one. Let me connect to it. It’s not letting me connect to it. So I messed up somehow. But as you can see how easily it is to configure the high availability of active standby. Fill over there’s. Beat you guys.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img