WEBVTT 00:01.580 --> 00:05.210 So if you have a look at the topology, it's exactly like it was yesterday. 00:06.180 --> 00:08.280 Except for this device. 00:08.280 --> 00:11.610 Yesterday was what, an iOS? 00:12.120 --> 00:13.770 Now it's a. 00:15.190 --> 00:18.220 Now it is, right? 00:18.280 --> 00:19.330 That's the only difference. 00:19.360 --> 00:23.440 The first thing that I want you to understand is we are going to be doing thick line today. 00:24.010 --> 00:29.410 Yesterday we saw thin client mode and client less mode, thick client. 00:29.440 --> 00:30.850 What is a thick client? 00:35.020 --> 00:36.070 It's just like your. 00:40.830 --> 00:41.860 And what do you have? 00:41.870 --> 00:42.800 You have a server. 00:43.340 --> 00:46.280 Then you have a client, a VPN client. 00:46.280 --> 00:52.040 You double click on it, you connect on it, you get an IP address, you have an adapter, all those 00:52.040 --> 00:53.570 different features which you have. 00:53.840 --> 00:58.490 Cisco's implementation of SSL VPN client is called. 01:00.430 --> 01:00.850 Any. 01:02.320 --> 01:02.830 Connect. 01:04.470 --> 01:06.060 The client is called Cisco. 01:06.330 --> 01:07.500 Cisco AnyConnect, VPN. 01:08.420 --> 01:09.320 But SSL VPN. 01:10.520 --> 01:10.990 Okay. 01:11.000 --> 01:12.920 You can see this work, actually. 01:13.710 --> 01:18.900 But first of all, one question arises when C1 connects. 01:20.110 --> 01:26.350 When someone comes up and creates a connection, does he need it, reinstalled the client or can he 01:26.380 --> 01:27.620 download it from the. 01:29.430 --> 01:33.570 There is a possibility where you can download it from the AWS for that. 01:33.570 --> 01:38.430 The first thing you have to do is get the file is a package file, not an exe file. 01:38.490 --> 01:40.260 You get a package file and install it. 01:40.260 --> 01:40.800 Where? 01:41.730 --> 01:42.990 Keep it in the flash of the. 01:44.210 --> 01:47.570 A bike is fine once you keep it in the flash. 01:47.600 --> 01:53.210 Then when someone tries to access it, the device, the moment it tries to access the device, it can 01:53.210 --> 01:55.940 download it from your client VPN. 01:56.360 --> 01:58.400 You get an option to download the thick client. 01:58.430 --> 02:00.320 You can download the thick client onto. 02:01.830 --> 02:03.750 That's why you see this extra link here. 02:03.870 --> 02:04.320 Why? 02:04.350 --> 02:08.160 Because if I do it directly connected, because I have my TftP server here. 02:10.390 --> 02:11.440 From the TftP server. 02:11.440 --> 02:12.340 I'm going to copy that. 02:12.340 --> 02:12.910 AnyConnect. 02:12.910 --> 02:17.230 AnyConnect File and paste it where Into the flash off. 02:17.800 --> 02:19.240 So later we can use it. 02:19.630 --> 02:21.430 Right now I'm just going to keep it there. 02:23.260 --> 02:24.340 How do you do that? 02:25.430 --> 02:26.660 As simple as this. 02:26.690 --> 02:28.700 First of all, locate where your file is. 02:28.910 --> 02:32.600 In my case, that file is right here. 02:34.180 --> 02:37.540 Any win whatever 3.0.pg. 02:39.450 --> 02:39.690 Right. 02:40.140 --> 02:42.330 And there's also another thing called CSD. 02:42.390 --> 02:43.680 Cisco Secure Desktop. 02:44.770 --> 02:46.450 We'll see what this does later. 02:46.480 --> 02:48.010 Right now, what I'll do is. 02:51.770 --> 02:57.860 I just go here and on the AC, I will configure the interfaces of the AC. 02:58.080 --> 03:04.640 Now, for those of you who have not done RSA before, right, it's really exactly the same with subtle 03:04.640 --> 03:05.480 differences. 03:05.510 --> 03:09.560 What subtle differences show IP interface brief is show interface IP. 03:11.580 --> 03:14.580 The same interfaces which you see is the command which you view. 03:14.610 --> 03:16.590 You view it from is a little different. 03:17.250 --> 03:19.500 Now which interfaces do I need to configure? 03:20.470 --> 03:22.660 I have one, two and three. 03:22.780 --> 03:24.670 One is pointing to the inside. 03:24.700 --> 03:26.410 Two is pointing to the outside. 03:26.440 --> 03:27.650 Three is on the side. 03:27.670 --> 03:33.430 Now on the another One good thing that you do is on the interfaces. 03:33.430 --> 03:37.150 Usually you only specify IP address and you say no shutdown. 03:37.420 --> 03:40.780 Here, you don't know the two things you do for things IP. 03:42.110 --> 03:42.320 No. 03:42.320 --> 03:42.770 Shut. 03:44.780 --> 03:46.340 You name the interfaces. 03:46.340 --> 03:49.160 So if this is your inside network, you'll call it. 03:51.280 --> 03:52.840 And you give it a security level. 03:53.290 --> 03:59.410 Usually the more trusted interface means insight is given a higher security level. 03:59.530 --> 04:02.770 The outside ones are given a lower security level. 04:05.170 --> 04:09.910 Basically saying that this is a trusted interface and these are not trusted for traffic. 04:10.000 --> 04:11.980 So let's do that here now. 04:12.010 --> 04:15.190 E one is pointing towards the inside network. 04:15.430 --> 04:17.800 So I'll say interface gigabit one. 04:18.940 --> 04:21.640 IP address is ten 1111 dot ten. 04:21.670 --> 04:22.870 A common convention. 04:22.870 --> 04:25.810 Is that all the addresses on a firewall? 04:25.810 --> 04:26.950 We keep it as dot ten. 04:27.100 --> 04:28.780 Common convention that we use. 04:29.710 --> 04:30.040 Um. 04:30.040 --> 04:30.280 No. 04:30.280 --> 04:30.730 Shut. 04:31.890 --> 04:40.260 What else name is called inside and then security level 100, which it already set by default. 04:41.420 --> 04:42.800 But a good practice is to. 04:43.280 --> 04:44.030 Keep on doing that. 04:44.420 --> 04:46.730 So security level for things, right? 04:46.920 --> 04:47.600 Interface. 04:47.600 --> 04:53.810 The other one is gigabit ethernet to IP address is 151 .3. ten. 04:55.850 --> 04:57.350 No shut name. 04:57.350 --> 05:01.370 If I'll call it outside and security, I'll give it as zero. 05:05.240 --> 05:05.480 Right. 05:05.480 --> 05:05.870 So. 05:08.060 --> 05:09.430 Showing the face, please. 05:10.370 --> 05:12.050 We'll show you the remaining interfaces. 05:12.050 --> 05:14.650 Right now, I should be able to ping the devices. 05:14.660 --> 05:15.440 Ten, 11. 05:15.440 --> 05:16.310 11.1. 05:17.680 --> 05:19.570 151 .3.. 05:20.900 --> 05:22.400 Three is our three. 05:22.670 --> 05:24.920 I can pick those interfaces, which is a good sign. 05:28.450 --> 05:28.930 Okay. 05:29.230 --> 05:34.270 Also, what I'll do is I'll configure this extra interface because I want a direct connection between 05:34.270 --> 05:35.980 the ACA and the TftP server. 05:36.250 --> 05:37.120 I want to download it. 05:37.150 --> 05:37.870 It'll take time. 05:37.870 --> 05:40.600 If it goes through R3, it does take more time. 05:41.110 --> 05:42.730 It's much quicker if you do it this way. 05:43.060 --> 05:46.360 So I'll configure that interface also. 05:46.570 --> 05:47.530 35. 05:47.580 --> 05:47.830 Right. 05:47.830 --> 05:48.330 Yes. 05:48.870 --> 05:54.960 So that's interface gigabit three IP address is 151 .35.. 05:54.990 --> 05:56.010 Let's say this is ten. 05:58.140 --> 06:01.540 No shirt name, if I can call this anything mgmt. 06:02.650 --> 06:03.850 Security is zero. 06:03.850 --> 06:04.090 Right? 06:04.090 --> 06:05.370 So I'll change it to. 06:06.890 --> 06:07.910 Keep the security levels. 06:14.420 --> 06:20.960 Social interface IP brief should show you this interface is up 35.25 for ping. 06:20.960 --> 06:21.950 I'm pinging the PC 06:24.020 --> 06:27.620 35.3 is R3 on the other side. 06:29.570 --> 06:29.840 Right. 06:29.840 --> 06:32.180 So from here, I'm pinging both of these devices. 06:33.810 --> 06:36.840 That'd be enough for the diagram right now. 06:37.050 --> 06:38.130 What is the job? 06:40.160 --> 06:42.890 The first thing that I'll do is I'll copy that AnyConnect image. 06:43.520 --> 06:44.510 So I'll say copy. 06:46.640 --> 06:48.650 From FTP to. 06:49.400 --> 06:52.880 Flash, make sure that the TftP server is running. 07:17.590 --> 07:18.070 Okay. 07:38.500 --> 07:39.920 Both this and the other one. 07:51.110 --> 07:53.230 2151 lakh. 07:53.260 --> 07:57.310 The server is 25 dot sorry, 35.25. 07:58.860 --> 07:59.730 The image name. 08:02.570 --> 08:03.380 I have to copy it. 08:03.380 --> 08:04.040 Exactly. 08:11.640 --> 08:12.290 Destination file. 08:12.300 --> 08:13.200 Name the same. 08:13.560 --> 08:15.210 Edit Reading the file. 08:15.900 --> 08:17.100 Because the tftp server. 08:18.680 --> 08:19.070 There you go. 08:19.070 --> 08:20.420 Just a problem with the server. 08:20.660 --> 08:23.540 Now we'll copy the file from. 08:24.230 --> 08:27.230 The TftP server put it where in the flash. 08:27.560 --> 08:29.720 Then you can later access this file. 08:30.460 --> 08:32.800 Right to be used as the thin client. 08:32.890 --> 08:33.520 Thin client. 08:34.760 --> 08:36.410 Until this happens. 08:39.510 --> 08:41.100 Let's talk about the concept again. 08:41.130 --> 08:43.590 The concept is going to be exactly the same. 08:43.590 --> 08:44.430 No change at all. 08:45.540 --> 08:47.730 ESA is going to act as what? 08:49.750 --> 08:52.210 Your web VPN server. 08:54.920 --> 08:59.630 First we'll try this client less mode so it will create a tunnel. 09:01.970 --> 09:03.640 Between itself and C1. 09:04.770 --> 09:06.210 Eventually through the tunnel. 09:06.210 --> 09:10.520 Only specific traffic can go ftp, http and CIF. 09:11.750 --> 09:16.460 Can go through it, right, Because it doesn't know how to tunnel the rest of the traffic. 09:16.700 --> 09:17.780 For tunneling. 09:19.740 --> 09:22.230 That decline in clientless. 09:25.360 --> 09:27.970 Through the I created the switch because. 09:28.000 --> 09:29.500 No, it's actually through here. 09:31.740 --> 09:34.410 I created the switch so that I can go to the TftP server. 09:36.150 --> 09:38.010 I'm copying the file right directly. 09:38.040 --> 09:40.110 Otherwise it takes a lot of time to copy. 09:40.860 --> 09:41.490 I cannot. 09:41.490 --> 09:42.360 I can remove it. 09:42.360 --> 09:45.120 I'll remove it in a bit just to clear the confusion away. 09:46.020 --> 09:46.290 Right. 09:46.290 --> 09:49.740 So this would be where the tunnel will be created again. 09:50.220 --> 09:51.330 Client less. 09:51.480 --> 09:56.340 It doesn't know how to tunnel the applications through, so only certain applications are allowed. 09:56.370 --> 10:02.970 Then we moved on to the thin client mode where from the RSA or from the device which we were using yesterday 10:03.000 --> 10:03.630 iOS. 10:03.660 --> 10:06.510 We ran that Java application which does nothing. 10:06.510 --> 10:08.520 It just guides the traffic through the tunnel. 10:09.240 --> 10:13.320 So all the port numbers can be mapped to local port numbers. 10:13.320 --> 10:18.660 When it sees those local port numbers, it will guide all that traffic through the tunnel to the VPN 10:18.660 --> 10:20.130 server or the SSL gateway. 10:21.340 --> 10:23.050 We saw that also today. 10:23.050 --> 10:25.300 What we are also going to see is the thick client mode. 10:25.660 --> 10:27.670 We'll talk about it when we reach there. 10:29.430 --> 10:30.090 By now. 10:30.240 --> 10:31.620 The copy is complete, Right. 10:31.920 --> 10:33.330 Let me save this. 10:35.400 --> 10:37.230 I don't think I'll be able to remove this. 10:38.620 --> 10:38.910 Yep. 10:39.690 --> 10:40.890 I'll have to shut this off. 10:43.810 --> 10:44.410 Then remove it. 10:50.570 --> 10:51.140 Hopefully. 10:51.140 --> 10:52.910 Let's see if it comes up. 10:56.380 --> 10:57.160 Many dangers. 11:00.120 --> 11:00.690 It is. 11:02.490 --> 11:04.650 Yeah, especially with the new one. 11:07.940 --> 11:08.660 You have the new one. 11:08.710 --> 11:11.750 It's more than even this. 11:12.050 --> 11:13.580 This one is even stable. 11:15.380 --> 11:16.870 No, I mean the old jeans. 11:17.540 --> 11:18.470 The new one is. 11:18.770 --> 11:19.810 The new one is. 11:19.850 --> 11:21.020 You're not using the old one. 11:22.640 --> 11:24.620 You're using 8.6. 11:26.820 --> 11:28.320 I'm using a six it's table. 11:28.320 --> 11:30.420 But the new one that they have 1.2. 11:31.260 --> 11:33.250 Is the is not able to. 11:34.110 --> 11:34.770 What I've seen. 11:36.640 --> 11:37.840 Maybe with updates. 11:44.000 --> 11:46.190 As long as you see this is happening, it should be fine. 11:46.190 --> 11:47.270 It should come back up again. 11:51.020 --> 11:51.200 Okay. 11:51.200 --> 11:53.690 So the again, the concept is the same Internet. 11:53.720 --> 11:56.160 You're connected to the Internet through a public network. 11:56.180 --> 11:57.890 People will connect up to you. 11:58.730 --> 12:00.650 Access Http services. 12:00.650 --> 12:04.250 So let's go and create Http services here first. 12:06.870 --> 12:08.250 IP http server. 12:09.650 --> 12:09.940 I do. 12:09.950 --> 12:11.180 I'll keep it as it is. 12:12.110 --> 12:13.220 Check out your flash. 12:15.860 --> 12:16.250 The flash. 12:16.250 --> 12:17.580 Now you have another image. 12:17.600 --> 12:18.470 Any connect image? 12:19.970 --> 12:21.110 We will use it later. 12:22.660 --> 12:23.050 Okay. 12:23.470 --> 12:27.580 For now, let's see how to enable the SSL VPN here. 12:27.940 --> 12:28.660 Remember yesterday? 12:28.660 --> 12:29.740 What did we have to do? 12:30.460 --> 12:33.060 We created a set of policies. 12:33.070 --> 12:34.690 First we created a gateway. 12:34.720 --> 12:36.310 Then we created a context. 12:36.310 --> 12:37.060 In the context. 12:37.090 --> 12:38.560 We created policies. 12:38.560 --> 12:40.320 We made changes to the policies. 12:40.330 --> 12:43.510 Then we called domain name, username, password. 12:43.510 --> 12:44.660 So many different things, right? 12:46.350 --> 12:48.180 To check to see here. 12:48.180 --> 12:54.030 All you have to do is web VPN enable on which interface do I want to enable it? 12:59.660 --> 13:00.050 That's all. 13:04.180 --> 13:05.110 Command is. 13:09.000 --> 13:09.690 Web VPN. 13:11.940 --> 13:13.980 Enabled on the outside. 13:15.860 --> 13:17.330 I want to enable web VPN. 13:18.200 --> 13:20.640 Remember I told you the interfaces are given names now. 13:20.660 --> 13:22.640 So this is inside and this is outside. 13:22.880 --> 13:25.340 I want to enable web VPN on the outside. 13:26.460 --> 13:26.730 Gray. 13:27.650 --> 13:29.930 Let's check and see if this is working Now. 13:29.930 --> 13:33.410 This can be opened from Chrome Https. 13:34.460 --> 13:38.600 150 .1. 2010. 13:39.290 --> 13:43.940 Now the thing is, first of all, I'll have to see if I have reachability to this. 13:46.390 --> 13:47.080 They don't. 13:47.970 --> 13:49.320 35.3. 13:51.350 --> 13:55.010 It is not known where 20 Network is its 30 point. 14:02.550 --> 14:06.300 Steady return because I have to add a route on the firewall. 14:07.990 --> 14:16.060 The way you add root earlier, it used to be like this root 00000 and 151 .3.3 right Earlier. 14:16.060 --> 14:17.200 This is what we used to be. 14:17.750 --> 14:19.580 Now you remove the IP. 14:21.690 --> 14:25.170 After route you specify which interface does this belong? 14:25.840 --> 14:26.670 Rest is the same. 14:27.940 --> 14:28.300 Okay. 14:28.660 --> 14:32.710 Basically want to make sure that I can reach 30.25. 14:37.970 --> 14:38.510 So. 14:41.160 --> 14:43.170 I have 30.10 on the upside. 14:43.860 --> 14:45.750 I need to remove that interface. 14:51.390 --> 14:52.220 Clear configure. 14:52.870 --> 14:55.740 Clears complete configuration on that interface. 14:55.890 --> 14:56.220 Clear. 14:56.220 --> 14:58.100 Configure anything you type in there. 14:58.110 --> 15:00.810 Whatever you type will actually be completely clear. 15:03.140 --> 15:03.500 Finished. 15:04.500 --> 15:07.170 151 dot not 3.15. 15:14.070 --> 15:15.090 Directly connected, right. 15:15.880 --> 15:17.640 30 Let's check from R3. 15:17.670 --> 15:18.930 Can I reach from R3? 15:19.200 --> 15:21.030 Show Show IP Interface. 15:25.330 --> 15:26.620 35. 15:27.250 --> 15:28.300 35.25. 15:28.330 --> 15:29.170 Not 30.20. 15:33.530 --> 15:34.520 35.5. 15:36.880 --> 15:37.240 Zillow. 15:38.050 --> 15:39.910 Let's check what route I have given here. 15:42.400 --> 15:43.560 Crowded as an eater out. 15:43.690 --> 15:44.830 It's directly connected, right? 15:46.460 --> 15:47.360 Let's check from here. 15:49.690 --> 15:50.430 On 51. 15:50.430 --> 15:51.520 Not from here. 15:51.520 --> 15:52.390 I don't have a route. 15:53.990 --> 15:54.590 From the PC. 15:54.590 --> 15:55.760 I don't have a return route. 15:59.860 --> 16:02.650 At 151, I have to give it out to 30.0. 16:02.680 --> 16:04.120 I gave it out to 20.0. 16:09.360 --> 16:10.950 It's using the Internet right now to go out. 16:12.830 --> 16:14.690 You can only have one default gateway, right? 16:15.610 --> 16:16.490 Right now he's using. 16:16.490 --> 16:16.910 What? 16:20.660 --> 16:20.950 No, no, no. 16:20.960 --> 16:21.860 I'm using my PC. 16:33.270 --> 16:33.870 This guy. 16:34.080 --> 16:34.350 Three. 16:34.620 --> 16:35.490 That's what I did. 16:36.840 --> 16:38.220 That's what I was doing here, right? 16:38.460 --> 16:38.740 Right. 16:38.880 --> 16:42.240 Add 151 .33.0, which is the network behind. 16:43.350 --> 16:43.890 This one. 16:44.850 --> 16:45.570 The next hop is. 16:45.570 --> 16:47.370 151 .35.3. 16:47.550 --> 16:48.990 Next hop is 35.3. 16:49.020 --> 16:53.070 The confusion was because yesterday I used one 51.20 network here. 16:53.220 --> 16:55.200 That's why today in my head I was using the same. 16:55.200 --> 16:56.640 But now it's 30. 16:57.000 --> 16:57.900 It's not 20. 16:58.440 --> 17:04.590 So the way you try to open it is 151 dot 30 dot and after your routing is done. 17:06.550 --> 17:07.000 Correct. 17:07.860 --> 17:10.920 Advanced proceed is giving you the certificate. 17:10.950 --> 17:12.360 Handshake is complete. 17:12.780 --> 17:13.710 Username and password. 17:15.070 --> 17:19.120 What was the command that you had to use with VPN enabled outside? 17:21.240 --> 17:23.940 The moment you do that, a set of keys is created. 17:23.970 --> 17:25.680 All of that is done for you. 17:25.770 --> 17:27.960 A customized page right in front of you. 17:29.010 --> 17:30.420 That's one big difference. 17:30.450 --> 17:35.430 The other big difference is, again, first of all, you have to understand that RSA was built to do 17:35.430 --> 17:36.210 SSL VPN. 17:37.450 --> 17:40.120 So it is quite easy as compared to iOS. 17:40.150 --> 17:43.360 It's more streamlined again here than there. 17:44.050 --> 17:44.560 Right. 17:44.590 --> 17:51.190 Another thing that you have to understand, a significant difference is you don't have that anymore. 17:52.600 --> 17:53.770 You don't have. 17:54.040 --> 17:59.110 Remember yesterday we had two different pages, two different set of pages for sales, one for sales, 17:59.110 --> 17:59.950 one for admin. 17:59.950 --> 18:06.180 So we had to do forward slash sales, forward slash admin and so many different things here on the web. 18:06.520 --> 18:07.210 You don't have that. 18:07.360 --> 18:13.230 It's solely based on what username and password, whatever username and password you use, it will take 18:13.240 --> 18:13.390 you. 18:16.380 --> 18:16.770 Okay. 18:18.120 --> 18:18.760 Nortriptyline. 18:19.170 --> 18:21.300 Yes, you have to specify internal and external. 18:21.300 --> 18:23.670 You have to specify because you need to find out a way. 18:23.910 --> 18:26.970 If you have a triple A server, you need to link up to the triple A server. 18:27.360 --> 18:30.030 That is, there is a possibility to do that. 18:30.030 --> 18:34.770 But yesterday we had pages, right, context, different context. 18:34.770 --> 18:36.480 Here you don't have context. 18:37.020 --> 18:39.150 Everything will be done on a single page. 18:39.330 --> 18:43.590 Now, depending upon what username you're using, you will be given with a different page, but you 18:43.590 --> 18:46.800 don't have to use a forward slash and open a different domain. 18:48.270 --> 18:51.090 Okay, now what do I need to do to log in? 18:52.620 --> 18:54.990 Get I need to get in. 18:54.990 --> 18:55.320 Right. 18:55.320 --> 19:00.120 But two things that we have to know about, just like yesterday here. 19:00.120 --> 19:02.070 Also, I'll have a policy. 19:04.210 --> 19:04.990 Just like yesterday. 19:04.990 --> 19:08.230 We had a policy and I will bind it. 19:11.610 --> 19:12.510 Usernames. 19:16.030 --> 19:16.630 Yesterday. 19:16.630 --> 19:17.890 We didn't bind it to usernames. 19:17.920 --> 19:20.120 Today we'll be binding it to usernames. 19:20.140 --> 19:21.070 Let me show you how. 19:22.740 --> 19:24.030 First you create a policy. 19:28.940 --> 19:31.090 It's RuPaul's. 19:32.090 --> 19:33.350 It's called group policy. 19:33.980 --> 19:34.610 Name it. 19:34.610 --> 19:36.950 Anything you want right now. 19:36.950 --> 19:37.730 Just like yesterday. 19:37.730 --> 19:38.720 I'll call it admin. 19:39.560 --> 19:40.220 Policy. 19:41.250 --> 19:44.340 This is where you specify internal or external. 19:44.340 --> 19:45.690 External would mean what? 19:47.360 --> 19:49.760 On a triple A server internal mean. 19:50.240 --> 19:51.950 I have configured it here. 19:53.610 --> 19:55.290 Better consider the policy here. 19:55.290 --> 19:56.430 So I'll say internal. 19:57.540 --> 20:03.000 See, when I do this and I use the group policy admin policy again. 20:03.700 --> 20:04.810 You'll see changes now. 20:05.140 --> 20:06.400 I press the question mark. 20:06.430 --> 20:08.500 You'll see an extra keyword here. 20:09.970 --> 20:14.560 That's because once you specify it's internal, then you get the option for attributes. 20:14.800 --> 20:16.090 Click on attributes. 20:16.120 --> 20:17.260 What can you do? 20:17.290 --> 20:18.730 You can do a lot of things. 20:24.090 --> 20:24.500 Right now. 20:24.500 --> 20:26.030 Let's just do a simple thing. 20:26.150 --> 20:28.850 Banner value. 20:30.510 --> 20:31.500 Is. 20:32.960 --> 20:34.180 Welcome admins. 20:37.570 --> 20:37.990 That's it. 20:40.320 --> 20:41.750 There's a lot of other features also. 20:41.760 --> 20:43.050 We'll have a look at that. 20:43.260 --> 20:47.160 But for now, what I did was group. 20:49.160 --> 20:49.850 Policy. 20:50.690 --> 20:51.770 Call it admin. 20:53.440 --> 20:54.220 Context. 20:55.660 --> 20:58.480 Right specified that this is an internal policy. 21:00.430 --> 21:01.780 Then to the same policy. 21:01.780 --> 21:02.500 I said, What? 21:03.410 --> 21:05.210 Let's change the attributes of the policy. 21:06.460 --> 21:06.930 Banners. 21:08.320 --> 21:08.890 While you. 21:10.100 --> 21:10.610 Is. 21:15.450 --> 21:19.590 By the way, to have a welcome message on a banner is quite dangerous. 21:21.300 --> 21:21.780 Should know. 21:21.780 --> 21:23.220 Shouldn't have welcome in there. 21:23.790 --> 21:25.770 It was actually cold case. 21:25.770 --> 21:28.110 Yeah, you're actually saying welcome. 21:28.110 --> 21:30.510 So basically, if you can do anything you want. 21:30.540 --> 21:35.190 I mean, there was actually a case where the hacker said. 21:36.800 --> 21:37.700 It wasn't nuggets. 21:37.700 --> 21:38.720 I've read it somewhere. 21:38.720 --> 21:39.200 I remember. 21:39.740 --> 21:40.140 Yeah. 21:40.350 --> 21:40.860 Yeah. 21:40.910 --> 21:41.340 Some of the. 21:41.360 --> 21:42.590 One of the videos I remember. 21:42.590 --> 21:44.210 Yes, exactly. 21:44.210 --> 21:46.880 So we showed it up. 21:46.880 --> 21:47.210 He said. 21:47.390 --> 21:48.140 It said welcome. 21:48.140 --> 21:49.460 So I just followed what you said. 21:49.460 --> 21:50.150 You said welcome. 21:50.150 --> 21:50.900 I just went in. 21:51.800 --> 21:52.190 Right. 21:52.760 --> 21:56.810 So every company has policies usually for these banner messages. 21:58.770 --> 21:59.730 IP interface brief. 22:00.690 --> 22:02.230 Everything is okay from this end. 22:02.250 --> 22:04.170 What I want to do is banner is set up. 22:04.650 --> 22:06.000 Where do I bind it? 22:10.230 --> 22:10.840 Usernames. 22:11.400 --> 22:12.600 I'll say username. 22:15.140 --> 22:16.000 Password. 22:16.010 --> 22:16.660 Cisco. 22:18.310 --> 22:23.740 And also say username and attributes. 22:25.080 --> 22:26.550 Shah's attributes. 22:26.580 --> 22:28.440 What attributes do you want to have? 22:28.680 --> 22:29.490 A lot of things. 22:29.490 --> 22:32.070 The only one which I care about right now is. 22:33.280 --> 22:35.590 What is the group policy that will be given to him? 22:37.110 --> 22:38.340 What is the name of that policy? 22:38.340 --> 22:38.880 Admin. 22:42.090 --> 22:42.900 Admin policy. 22:45.100 --> 22:46.930 So then you go to the username. 22:49.880 --> 22:51.140 I mean, context. 22:51.920 --> 22:53.930 I don't know why I named it context. 22:54.930 --> 22:56.470 Should have been admin policy. 22:56.840 --> 22:57.680 Let me remove that. 23:05.170 --> 23:06.850 Clear configure group. 23:10.200 --> 23:11.410 Policy admin. 23:12.740 --> 23:13.340 Policy. 23:14.270 --> 23:15.700 Internally, I'm creating it again. 23:16.670 --> 23:18.740 Attributes banners. 23:22.910 --> 23:23.150 While. 23:37.040 --> 23:38.240 Show run. 23:40.430 --> 23:41.010 Show run. 23:48.590 --> 23:53.840 Another good thing about the essay is you can just write, show, run, type the first few letters of 23:53.840 --> 23:55.970 what you want to see from the running configuration. 23:55.970 --> 23:57.710 It will only show you that part. 23:57.920 --> 23:59.870 So it is it seems okay. 23:59.870 --> 24:03.170 Right now the VPN is enabled on the outside interface. 24:03.200 --> 24:09.710 My group policy is admin policy where I'm saying the manor is admins, then username is here. 24:09.710 --> 24:15.320 Password whatever attributes in the attributes I just call the VPN group policies. 24:15.320 --> 24:17.600 So I'm binding the username to the policy. 24:17.600 --> 24:20.990 Now when I go here if the same user comes in. 24:23.730 --> 24:25.110 Is already bound to the policy. 24:25.110 --> 24:27.570 The policy says you have a banner. 24:34.870 --> 24:35.290 Banner. 24:36.570 --> 24:37.260 Continue. 24:38.580 --> 24:41.070 This is your SSL VPN page. 24:42.020 --> 24:43.580 What protocols are allowed? 24:45.310 --> 24:45.640 If you. 24:48.380 --> 24:52.490 Http https cfs and FTP. 24:55.150 --> 24:57.980 The Http is that's the that's the whole point of it, right? 24:59.090 --> 24:59.760 That's the whole point. 24:59.780 --> 25:04.250 You want to go to basically go to ten, 11, 11.1 right now. 25:04.250 --> 25:05.180 Not available. 25:05.750 --> 25:06.230 Ten, 11. 25:06.230 --> 25:07.160 11.2. 25:08.340 --> 25:09.060 Not available. 25:09.060 --> 25:09.390 Why? 25:14.360 --> 25:15.380 Can the series them? 25:16.220 --> 25:16.940 Yes, it can. 25:17.690 --> 25:18.710 I'll go to both of them. 25:18.770 --> 25:20.270 Http server. 25:21.960 --> 25:22.740 As you also. 25:26.510 --> 25:26.720 Not. 25:33.620 --> 25:35.090 No, you don't have to. 25:35.840 --> 25:38.390 Since it's a VPN and VPN, you don't have to worry about it. 25:39.660 --> 25:40.050 There you go. 25:41.580 --> 25:43.410 In the tunnel is not inspected. 25:44.710 --> 25:45.340 By default. 25:45.340 --> 25:45.700 It's not. 25:45.700 --> 25:46.810 If you want, you can. 25:50.740 --> 25:51.060 Traffic. 25:53.760 --> 25:55.320 If it's coming through a tunnel, then no. 25:56.310 --> 25:59.160 If the tunnel is recapitulating on the AC, then no. 26:01.840 --> 26:02.290 Okay. 26:04.170 --> 26:07.920 Who's going to do these devices if you debug on R1 and R2? 26:07.950 --> 26:08.700 The same thing. 26:08.700 --> 26:09.810 We're not doing anything new. 26:11.620 --> 26:12.270 Yes. 26:13.190 --> 26:13.640 Right now. 26:13.640 --> 26:21.170 Also, if I go to R1 and R2 debug IP, ICMP and I'm trying to access the device from where here? 26:22.870 --> 26:25.720 From my client, I can access the device. 26:26.170 --> 26:28.480 If you go and check here right now. 26:30.810 --> 26:31.770 Let me just. 26:32.010 --> 26:32.570 Oh, I did. 26:32.580 --> 26:33.120 I seem to. 26:34.820 --> 26:36.430 IP TCP packets. 26:40.250 --> 26:40.700 Debug. 26:46.090 --> 26:50.290 Now again, let's click somewhere just to see. 26:51.930 --> 26:52.560 The sources. 26:52.560 --> 26:53.100 Ten, 11. 26:53.100 --> 26:53.400 11. 26:53.670 --> 26:54.090 Ten. 26:57.090 --> 27:03.360 So even though I'm trying to access from this device, even though from here to here, the connection 27:03.360 --> 27:07.830 is Http s from the ACR to R1, it's Http. 27:08.550 --> 27:10.380 So the s is added. 27:10.380 --> 27:10.830 Where? 27:14.350 --> 27:15.760 This for me is not true. 27:16.540 --> 27:17.680 The tunnel is through the. 27:18.890 --> 27:20.260 Then it goes through the server. 27:23.780 --> 27:24.590 Anything to the east. 27:27.900 --> 27:29.010 Because you're going through the tunnel. 27:31.690 --> 27:31.890 On. 27:34.240 --> 27:37.720 But from him to the others, it's to connection, not through connection. 27:45.870 --> 27:46.470 Three news. 27:50.570 --> 27:54.800 And want to show you three were used in by default. 27:54.830 --> 27:57.650 This connection table shows you the connections which are through you. 27:59.420 --> 28:01.760 Not the connections from you to the other devices. 28:01.850 --> 28:04.610 If that connection was going through, its from you. 28:04.610 --> 28:06.620 It doesn't maintain a state table for that. 28:07.350 --> 28:10.530 State table is only maintained for through traffic. 28:10.530 --> 28:10.710 Right. 28:10.800 --> 28:13.710 Traffic which is coming from one side and coming back. 28:13.920 --> 28:14.730 Why do you need that? 28:14.730 --> 28:16.800 Because you want traffic to come back through. 28:21.510 --> 28:22.590 This is to traffic. 28:22.890 --> 28:24.030 To traffic to days. 28:25.210 --> 28:27.640 This traffic is to the east from both ends. 28:27.640 --> 28:28.410 From this end. 28:28.420 --> 28:29.200 From the other end. 28:29.230 --> 28:29.900 From this end. 28:29.920 --> 28:31.480 It is decapsulation from the tunnel. 28:33.270 --> 28:33.510 Right. 28:33.870 --> 28:35.250 Then he makes the decision. 28:38.150 --> 28:38.280 The. 28:40.800 --> 28:40.930 It. 28:42.690 --> 28:43.950 No, no, no, no. 28:43.980 --> 28:45.440 By default, it does matter. 28:45.450 --> 28:51.990 That's the biggest thing that matters is if traffic by default, the policy on an NASA is here. 28:51.990 --> 28:53.460 It's not because it's true. 28:53.490 --> 28:54.270 It's allowed. 28:54.300 --> 28:55.740 It's because if. 28:57.140 --> 29:04.940 You have a VPN, which is it's a it's a policy on the RSA, which is decrypting on the RSA. 29:05.330 --> 29:09.260 It doesn't need to go through the checks because you're creating a tunnel. 29:10.410 --> 29:12.660 And to create a tunnel is not easy. 29:12.660 --> 29:14.100 You have to do a lot of stuff. 29:14.310 --> 29:19.830 So it thinks of this in such a way that if the administrator has gone through all that pain to create 29:19.830 --> 29:23.220 the tunnel, I'm sure that the traffic that is coming through it is safe. 29:24.080 --> 29:27.290 So it doesn't expect that doesn't stop it. 29:27.740 --> 29:29.420 It lets it go by default. 29:29.420 --> 29:31.100 That is the default behavior of it. 29:31.130 --> 29:32.960 You can change it if you want to. 29:33.500 --> 29:35.240 The way you change it is. 29:36.860 --> 29:39.080 If you check show run at the end of your show. 29:39.080 --> 29:39.500 Run. 29:40.830 --> 29:41.670 You have. 29:42.930 --> 29:45.810 No, you don't have a chance to show it on. 29:48.380 --> 29:48.970 VPN. 29:49.630 --> 29:50.210 Sisoft. 29:53.250 --> 29:53.520 Just. 29:59.070 --> 30:00.160 It's this connection. 30:00.160 --> 30:01.300 It's called permit VPN. 30:05.010 --> 30:09.090 These are certain characteristics and default behavior of behaviors of a. 30:09.630 --> 30:14.280 What it does is it is permitting VPN, basically saying whatever is coming through the VPN, permit 30:14.280 --> 30:14.430 it. 30:14.460 --> 30:17.610 Do not let it go through the ACL check, no security check, nothing. 30:18.090 --> 30:19.230 Just let it go. 30:22.030 --> 30:22.410 Okay. 30:25.450 --> 30:26.450 From the piece upping. 30:26.470 --> 30:29.440 Yeah that is a that is true traffic that has nothing to do with this. 30:31.830 --> 30:32.850 This is not to traffic. 30:35.410 --> 30:36.640 Directly connected with it. 30:37.570 --> 30:40.630 It's not too traffic, it's decapsulation. 30:40.630 --> 30:42.040 But then it's moving further. 30:42.880 --> 30:43.480 Your packet. 30:43.480 --> 30:46.930 When it comes up, it comes up Like what? 30:47.110 --> 30:52.000 Coming from one 51.35 dot 25 going to. 30:53.500 --> 30:54.520 30.10. 30:55.840 --> 30:56.590 Source code. 30:56.620 --> 30:56.830 X. 30:56.830 --> 30:57.560 X x. 30:57.610 --> 30:58.460 Destination Port. 30:58.480 --> 30:59.320 Let's say forever. 30:59.320 --> 31:00.280 443. 31:00.640 --> 31:04.210 Then your actual message is where we say I want to go. 31:04.300 --> 31:06.010 Http to this device. 31:06.840 --> 31:08.820 When the whole packet opens up here. 31:11.780 --> 31:12.740 What does he see? 31:13.220 --> 31:14.810 And the actual request. 31:16.360 --> 31:17.920 Which say is that I want to go where? 31:18.370 --> 31:19.780 To this device. 31:19.780 --> 31:21.490 So you are accepting this? 31:22.440 --> 31:26.580 You are accepting this packet, you're opening it until year seven, but then you're creating another 31:26.580 --> 31:28.950 packet which is going where to? 31:31.480 --> 31:31.810 So. 31:33.870 --> 31:37.290 In the connection table because it's not see connection table. 31:37.290 --> 31:44.580 It will show you because it would need what a source IP a destination IP a source protocol number destination 31:44.580 --> 31:45.210 protocol number. 31:45.210 --> 31:46.590 But what do you see in this? 31:48.260 --> 31:50.210 Only the destination where he wants to go. 31:50.630 --> 31:56.330 The connection does terminate here, but then he moves further with a different kind of a packet. 31:56.480 --> 31:57.590 A separate packet. 31:58.340 --> 31:59.510 He doesn't do that. 31:59.720 --> 32:01.940 He's not maintaining the entries using Nat. 32:02.360 --> 32:06.680 He has VPN has its own way to maintain the connection is not by Nat. 32:09.750 --> 32:10.110 Right. 32:10.110 --> 32:14.730 So it's not like when you talk about the route to traffic, when we are talking about to traffic, we 32:14.730 --> 32:18.330 are basically mentioning traffic that is coming to the interface. 32:18.570 --> 32:20.520 It's not coming to the interface. 32:21.850 --> 32:25.150 This traffic is not coming to the interface just like it was coming before. 32:25.180 --> 32:30.190 Like when you ping the interface or you do something to the interface, this is coming as what? 32:31.200 --> 32:32.820 As Https. 32:34.140 --> 32:34.500 Graphic. 32:36.000 --> 32:38.130 To the interface https. 32:38.220 --> 32:43.650 So once it encapsulates there, it sees where it wants to go and then creates a new packet. 32:45.360 --> 32:45.990 To go out there. 32:47.200 --> 32:47.530 Right. 32:47.710 --> 32:48.130 And. 32:48.130 --> 32:48.820 Yes. 32:48.940 --> 32:52.600 What do you need from the essay to enable services, if you remember? 32:52.690 --> 32:54.730 You need to enable them separately, right? 32:54.730 --> 32:55.780 Services. 32:55.810 --> 32:57.970 So ICMP by default is enabled. 32:58.780 --> 32:59.320 Right. 32:59.320 --> 33:00.790 And the other ones are not. 33:00.790 --> 33:03.160 So you need to go in there and enable them by default. 33:03.190 --> 33:04.960 That's what you did the first time. 33:06.010 --> 33:07.120 Remember the first command. 33:10.090 --> 33:11.050 That's what you're doing. 33:11.440 --> 33:14.680 Enable web VPN on the outside interface. 33:14.860 --> 33:17.860 You're enabling this service on the outside. 33:21.130 --> 33:21.490 Hazel. 33:26.130 --> 33:29.930 Not ACL by default, not by default. 33:29.940 --> 33:32.130 It only permits ICMP. 33:33.790 --> 33:34.420 That's it. 33:34.420 --> 33:35.230 Only ICMP. 33:35.470 --> 33:36.610 So you have to enable Telnet. 33:36.610 --> 33:39.640 You have to manually go in there and enable Telnet on the outside interface. 33:39.640 --> 33:41.620 Otherwise no one will be able to telnet into you. 33:42.010 --> 33:44.140 If you want to do SSL, you'll have to enable it. 33:44.140 --> 33:46.000 All the to traffic has to be enabled. 33:46.820 --> 33:50.270 By yourself unless it except for ICMP. 33:50.630 --> 33:53.120 ICMP is the only service that is running on an AC. 33:53.210 --> 33:54.620 You can turn it off. 33:58.060 --> 34:00.340 By saying I simply deny any outside. 34:01.840 --> 34:05.730 If you do this, people will not be able to pick up from. 34:08.600 --> 34:08.810 And. 34:10.380 --> 34:10.710 This. 34:13.630 --> 34:14.200 She'll start. 34:16.870 --> 34:17.260 Okay. 34:19.700 --> 34:23.090 Done for now so you can access all those devices. 34:25.010 --> 34:27.050 But what if you wanted to put restriction? 34:28.380 --> 34:34.650 What if I wanted this guy right here to only be able to access right now? 34:35.000 --> 34:35.250 Who? 34:35.400 --> 34:35.680 Shah. 34:35.890 --> 34:37.920 Shah should only be able to access R1. 34:39.050 --> 34:42.110 Should not be able to go to ten 1111 dot two. 34:43.450 --> 34:47.050 For this kind of because you're doing URL filtering now, right? 34:47.490 --> 34:50.350 Your these packets will not be in your ACL. 34:50.440 --> 34:52.540 It it won't be on your layer three. 34:52.570 --> 34:54.010 You're actually doing it where? 34:55.600 --> 34:56.260 Live seven. 34:56.710 --> 34:58.450 Your message is going to be here. 34:59.080 --> 35:01.840 I want to go to ten, 11 11.2. 35:02.440 --> 35:05.050 After that is going to be your PCP. 35:05.560 --> 35:11.320 After that, your IP, you want to check what you cannot apply anomalies here. 35:11.440 --> 35:13.450 A special type of ACL will apply here. 35:14.580 --> 35:16.080 Which is known as web type. 35:19.490 --> 35:20.570 Access list. 35:22.290 --> 35:25.090 You name it, anything, I'll call it. 35:25.110 --> 35:25.620 WB. 35:26.910 --> 35:32.070 Then it's you have an option of extended standard you also have an option for. 35:33.570 --> 35:34.050 Website. 35:35.960 --> 35:37.430 I'd say web type. 35:37.880 --> 35:39.410 Do you want to permit or deny? 35:39.770 --> 35:43.130 I would want to permit and I'll implicitly deny everything else. 35:43.280 --> 35:45.900 So I'll say permit URL. 35:45.920 --> 35:47.870 What do I want to permit? 35:50.020 --> 35:50.830 Http. 35:54.120 --> 35:54.870 110. 35:54.870 --> 35:55.290 11. 35:55.290 --> 35:56.220 11.1. 35:58.570 --> 36:01.480 And deny any is by is there by default. 36:01.480 --> 36:02.860 So everything else will be denied. 36:04.180 --> 36:08.140 The way you apply it is go to your group policy. 36:13.200 --> 36:14.160 Attributes. 36:16.000 --> 36:17.680 In your group policy attributes. 36:17.680 --> 36:19.180 There is a tab for web VPN. 36:21.480 --> 36:24.270 Which includes your web VPN feature. 36:24.270 --> 36:27.690 So basically you're saying you want to change your web VPN stuff. 36:28.350 --> 36:30.690 In the web VPN, the command is filter. 36:32.980 --> 36:33.460 Value. 36:33.490 --> 36:34.680 What is the name of the VPN? 36:34.780 --> 36:35.110 ACL? 36:37.170 --> 36:37.540 WB. 36:42.350 --> 36:43.490 What does it say in front of? 36:45.300 --> 36:46.710 To show you the type. 36:49.230 --> 36:53.130 Filter is configure the name of web type ACL. 36:57.240 --> 36:58.900 Configure the name of the app type. 36:59.190 --> 37:00.330 How do you do it again? 37:02.850 --> 37:06.120 First of all, let's finish this username was password. 37:06.420 --> 37:13.500 We configured was Cisco and then we said username attributes in the attributes. 37:13.500 --> 37:19.050 I said VPN group policy was admin. 37:23.190 --> 37:25.340 This gave us access to all the this was client list. 37:25.350 --> 37:26.580 That's all the client was. 37:26.580 --> 37:27.750 Client list was right. 37:28.980 --> 37:32.100 This complete 4 or 5 commands was client less. 37:34.310 --> 37:38.450 Then the second thing that I'm doing is web type is. 37:40.020 --> 37:41.940 Access list. 37:42.310 --> 37:48.270 WB Web type permit Permit. 37:48.720 --> 37:49.020 What? 37:51.980 --> 37:55.400 Http ten 1111 dot. 37:58.360 --> 38:00.880 Then where do we apply this group? 38:01.730 --> 38:02.330 Policy. 38:02.960 --> 38:06.230 Admin policy attributes. 38:08.140 --> 38:09.880 You say web VPN? 38:09.910 --> 38:11.960 Not under the policy, but under the policy. 38:11.960 --> 38:13.540 You go inside web VPN. 38:14.310 --> 38:16.920 Filter value is. 38:19.270 --> 38:20.770 Let's try and see if this is working. 38:26.480 --> 38:26.790 Ten. 38:26.830 --> 38:28.010 11 11.1. 38:29.060 --> 38:29.720 I can go to ten. 38:29.720 --> 38:29.930 11. 38:29.930 --> 38:30.770 11.1. 38:31.490 --> 38:31.760 Ten. 38:31.760 --> 38:32.060 11. 38:32.060 --> 38:33.020 11.2. 38:35.800 --> 38:36.810 Right now I can. 38:36.820 --> 38:39.430 But what I'll do is I will log out. 38:41.140 --> 38:42.490 I'll come back in again. 38:49.050 --> 38:49.470 Banner. 38:52.700 --> 38:52.970 Ten. 38:52.970 --> 38:53.270 11. 38:53.270 --> 38:54.110 11.2. 38:55.370 --> 38:57.170 Access to this resource has has been. 38:59.270 --> 39:01.640 But if you want to go to ten, 11 11.1. 39:03.780 --> 39:04.170 All right. 39:06.560 --> 39:06.710 Okay. 39:08.530 --> 39:09.700 Prevent access. 39:10.540 --> 39:14.170 So now the guy has access to only one server, not the others. 39:15.290 --> 39:20.360 We used to do this in VPN using split tunnel ACL, but that was done, if you remember, on layer three. 39:20.930 --> 39:21.320 Why? 39:21.350 --> 39:22.940 Because you had layer three encapsulation. 39:22.940 --> 39:25.430 You had access to layer three devices here. 39:25.430 --> 39:30.950 The problem is R1 doesn't know who is accessing him, R2 doesn't know who is accessing them. 39:31.460 --> 39:34.220 For them, the only connection is created by whom? 39:35.290 --> 39:35.590 This. 39:37.330 --> 39:39.010 They don't know who actually is coming up. 39:39.010 --> 39:42.040 And because the identity of the guy will be lost. 39:42.040 --> 39:43.060 Where on the. 39:44.450 --> 39:46.690 To traffic to be capsulated. 39:46.970 --> 39:48.380 His identity is finished. 39:48.410 --> 39:51.170 Then is the job to link these two together? 39:52.360 --> 39:53.380 Based on the port numbers. 39:56.370 --> 39:56.820 Okay. 39:58.130 --> 39:58.430 But. 39:59.670 --> 40:00.420 Now. 40:01.730 --> 40:02.600 This is done. 40:03.110 --> 40:04.430 This is your thin client. 40:04.730 --> 40:06.710 The next part is the thin client. 40:09.300 --> 40:11.220 That this will take this out. 40:13.800 --> 40:14.790 The source IP address. 40:19.490 --> 40:20.600 The part that gets. 40:21.710 --> 40:22.140 You would have. 40:26.180 --> 40:27.600 This part doesn't get encrypted. 40:27.620 --> 40:28.940 This is open text. 40:30.750 --> 40:32.940 We have the source and destination, which is from. 40:33.720 --> 40:34.770 We have the public. 40:37.220 --> 40:38.780 No, we don't have the source and destination. 40:39.860 --> 40:41.540 Right now, we don't have the source and destination. 40:41.540 --> 40:41.840 Why? 40:42.620 --> 40:43.880 What are you talking about? 40:43.880 --> 40:45.260 Packet going from here to up? 40:45.560 --> 40:45.830 Yeah. 40:46.820 --> 40:48.670 You don't have source and destination in the packet. 40:48.680 --> 40:50.090 It just says Http. 40:51.430 --> 40:53.110 Ten, 11, 11. 40:53.380 --> 40:53.980 That's all. 40:55.710 --> 40:56.070 The one. 40:56.460 --> 41:02.610 On top of that, we have the public source and public PlayStation 440 3XX, x and the public source 41:02.610 --> 41:06.360 and destination, which is 35.25. 41:06.450 --> 41:07.550 30.10. 41:09.940 --> 41:11.640 Here there is no source and destination. 41:11.650 --> 41:14.440 It just where the guy does, where does he want to go? 41:15.520 --> 41:16.960 Where does the guy want to go? 41:17.590 --> 41:20.970 So based on this port number, it will keep track. 41:20.980 --> 41:21.580 Okay. 41:21.610 --> 41:30.250 X x x went to ten, 11, 11.1 and I gave him the port number, let's say y y y. 41:30.280 --> 41:31.300 So it keeps track. 41:31.330 --> 41:34.570 If he gets a reply from y y y he forwards it to x x x. 41:36.890 --> 41:37.880 Right, so and so forth. 41:41.960 --> 41:42.650 Get home page. 41:47.110 --> 41:47.350 Uh huh. 41:49.160 --> 41:51.050 Get home page for getting the home page. 41:54.390 --> 41:57.540 It's a simple request as simple http request to the server. 41:59.770 --> 42:01.000 The first request. 42:01.030 --> 42:02.140 That's how it is. 42:02.170 --> 42:05.680 Then whatever you do here, you'll be doing http same http. 42:05.680 --> 42:09.790 Just like you access an Http server, you'll be accessing the Http server from here. 42:11.360 --> 42:13.130 It's just that it won't be a direct connection. 42:13.130 --> 42:14.240 It'll be broken down. 42:14.480 --> 42:16.250 So you'll be communicating to whom? 42:17.480 --> 42:17.990 The essay. 42:18.170 --> 42:20.840 The essay on your behalf will be communicating to. 42:22.440 --> 42:22.830 I one. 42:23.920 --> 42:24.850 So you'll be there. 42:25.420 --> 42:27.280 You will not lose your communication. 42:27.940 --> 42:29.290 The communication will be set. 42:29.320 --> 42:32.530 All communications with Http, whichever way they go. 42:32.560 --> 42:33.850 Get is the first packet. 42:33.880 --> 42:34.840 Then you get the homepage. 42:34.840 --> 42:38.740 Then whatever clicks you do, all those things will go the same exact way. 42:38.740 --> 42:41.050 But it's just that whatever you send here. 42:42.810 --> 42:44.100 Will stay as it is. 42:44.520 --> 42:47.700 Then the firewall will perform that action for you. 42:48.450 --> 42:49.710 What you want to do here? 42:49.740 --> 42:51.210 The firewall will do it for you. 42:53.600 --> 42:55.520 You will just be communicating to the firewall. 42:57.730 --> 43:04.810 Okay, same as iOS, VPN, iOS, VPN, also iOS VPN, the same thing you're communicating to that gateway 43:04.810 --> 43:06.580 the gateway will communicate for. 43:08.980 --> 43:09.250 Right. 43:13.000 --> 43:14.430 Let's capture the pockets here. 43:19.080 --> 43:20.640 Ivan is not getting blocked. 43:20.640 --> 43:20.850 Right. 43:20.850 --> 43:23.190 So should be able to see what's in there. 43:31.290 --> 43:33.630 Now you're sending https packets, right? 43:33.630 --> 43:36.240 So anyone here will not be able to see what you're sending. 43:36.480 --> 43:37.260 But. 43:45.270 --> 43:48.660 But I'm sending, let's say ten, 11, 11. 43:51.990 --> 43:54.270 All the resources except for that one will be blocked. 43:56.900 --> 43:58.070 And I'm doing this right. 43:59.660 --> 44:07.070 You'll see that the actual packets, which go from 10.10 to 10 dot 11 dot one then open. 44:10.690 --> 44:11.500 Not encrypted. 44:13.050 --> 44:13.820 Port number 80. 44:15.130 --> 44:16.510 The encryption takes place. 44:21.300 --> 44:22.210 This is your web page. 44:24.540 --> 44:25.560 You can see it, right. 44:25.560 --> 44:28.350 It's clear, clear text between the two. 44:28.680 --> 44:30.060 You're not creating the connection. 44:30.060 --> 44:31.080 Who's creating it? 44:33.630 --> 44:34.460 The VPN. 44:35.210 --> 44:36.710 Your message is just going there. 44:39.580 --> 44:41.590 As an Http packet. 44:44.360 --> 44:44.780 Okay. 44:45.440 --> 44:45.760 Glad. 44:48.210 --> 44:50.190 What is the other thing that I'm going to do? 44:51.630 --> 44:52.170 Thin client. 44:53.640 --> 44:57.480 Where I'll go to the main web VPN where I enabled it outside. 44:57.510 --> 44:59.670 Let me show you some other things that you have here. 45:04.020 --> 45:05.070 The important ones. 45:10.360 --> 45:14.200 There's onscreen keyboard is for later. 45:25.520 --> 45:26.300 These here. 45:27.940 --> 45:28.690 Any connected. 45:38.280 --> 45:39.630 Onscreen keyboard. 45:41.640 --> 45:42.630 Where did I do this? 45:42.660 --> 45:45.720 In the main config terminal VPN. 45:45.750 --> 45:47.490 Not under the policy or anything. 45:47.640 --> 45:48.690 I did it here. 45:50.860 --> 45:51.100 Yeah. 45:52.230 --> 45:54.960 I said on screen keyboard enable all. 45:56.190 --> 45:56.820 Let's check. 45:58.720 --> 45:59.500 Go back here. 45:59.920 --> 46:00.670 Log out. 46:03.390 --> 46:04.230 Log on again. 46:11.010 --> 46:12.180 Now the password is. 46:16.950 --> 46:20.130 Probably not the best way to do on a project, but. 46:20.820 --> 46:22.350 Now you have the on screen keyboard. 46:25.270 --> 46:27.250 I wouldn't want it because it's too annoying. 46:27.870 --> 46:29.820 So let's remove this. 46:33.400 --> 46:38.350 So basically what VPN gives you is why I showed you this is what web VPN. 46:38.350 --> 46:43.870 If you make any changes here, you're making big changes to the whole web VPN context. 46:45.260 --> 46:46.530 Enable on screen keyboard. 46:46.550 --> 46:48.400 On screen keyboard will come up. 46:48.410 --> 46:49.490 Why am I showing you this? 46:49.490 --> 46:54.140 Because now when you're doing your thin client, a thin client will be added as a tab here. 46:56.260 --> 46:57.670 It's a big change that you're making to your. 46:57.940 --> 47:01.090 It's not like you're applying an access list or something to do this. 47:01.090 --> 47:02.230 Also, you will have to do it. 47:02.230 --> 47:02.740 Where? 47:05.050 --> 47:07.090 On the main web VPN. 47:07.090 --> 47:08.530 So you go to web VPN. 47:12.540 --> 47:12.990 Right. 47:14.290 --> 47:15.310 Let me show you the commands. 47:16.210 --> 47:18.130 I am already on VPN. 47:18.610 --> 47:20.230 The command is the same port. 47:22.100 --> 47:22.310 One. 47:23.690 --> 47:24.710 Call it anything. 47:25.070 --> 47:26.150 Call the port forward. 47:26.150 --> 47:26.600 Anything. 47:26.600 --> 47:27.980 The name does not matter. 47:28.490 --> 47:29.540 I'll call it R1. 47:30.710 --> 47:31.790 Now, this. 47:31.940 --> 47:34.920 Yesterday we said local port, remote port, remote server. 47:34.940 --> 47:36.460 Here you just have to specify it. 47:36.470 --> 47:40.700 It says this is the port which users connect to on their local workstation. 47:40.720 --> 47:42.760 Enter the port number or a port name. 47:42.770 --> 47:47.630 Use a port number greater than 1024 to avoid conflicts with existing services. 47:48.320 --> 47:52.460 I'm going to use, let's say just like yesterday, 25,000 local port number. 47:52.790 --> 47:54.740 What is the address of the remote server? 47:55.700 --> 48:00.380 1011 dot one What is the actual port that the server is running on? 48:01.280 --> 48:02.090 23. 48:03.670 --> 48:05.410 I want to do Telnet right through the tunnel. 48:05.780 --> 48:06.990 Then description here. 48:07.000 --> 48:07.990 Not too important. 48:07.990 --> 48:09.490 Yesterday it was here. 48:09.490 --> 48:10.300 It's not. 48:12.090 --> 48:12.450 Okay. 48:13.870 --> 48:16.090 I have enabled it as a feature. 48:16.480 --> 48:17.980 Let's see if it is enabled. 48:22.410 --> 48:23.850 I only enabled it right. 48:24.060 --> 48:26.040 The reply to a username or password. 48:26.640 --> 48:28.900 I didn't bring it in the where. 48:30.180 --> 48:32.970 I didn't put it where in my group policy. 48:33.150 --> 48:34.710 So nothing is here. 48:35.160 --> 48:36.000 I need to go. 48:36.000 --> 48:36.570 To what? 48:39.920 --> 48:41.330 Group policy. 48:42.160 --> 48:44.860 Admin policy attributes. 48:46.850 --> 48:49.760 Web VPN because this is a web VPN feature again. 48:50.970 --> 48:52.890 Portfolio forward value is. 48:54.790 --> 48:55.150 Are. 49:00.150 --> 49:00.510 Correct. 49:02.540 --> 49:03.830 Let's go ahead and check now. 49:06.290 --> 49:06.630 Logan. 49:14.360 --> 49:15.920 Now you have a new tab. 49:16.730 --> 49:18.170 What is the new tab say? 49:18.410 --> 49:20.240 Application access. 49:20.660 --> 49:21.590 Let's click on it. 49:22.830 --> 49:24.150 Start applications again. 49:24.150 --> 49:24.540 Java. 49:26.450 --> 49:27.110 Java again. 49:32.950 --> 49:34.090 Trust me on this. 49:34.390 --> 49:35.470 This is the worst. 49:36.220 --> 49:38.230 But it works for me, so. 49:41.190 --> 49:41.430 Okay. 49:41.610 --> 49:47.550 So it says locally, if you go to 25,000 remotely, you're going to 23 at ten, 11. 49:47.550 --> 49:48.330 11 point. 49:49.740 --> 49:50.640 Let's try and see. 49:52.200 --> 49:53.010 What do I do? 49:53.130 --> 49:57.930 127 001 Port number 25,000. 50:02.050 --> 50:03.040 Next enclosed. 50:08.270 --> 50:09.680 It shouldn't be a problem still. 50:09.770 --> 50:11.510 It should still at least show me. 50:11.510 --> 50:14.030 Open and password not found. 50:19.710 --> 50:20.100 Oh, yeah. 50:21.870 --> 50:23.250 Probably because. 50:25.060 --> 50:26.760 I never learned this from him. 50:26.770 --> 50:27.880 I think we should work. 50:32.480 --> 50:32.870 Let. 50:32.870 --> 50:34.610 127 001. 50:36.550 --> 50:37.780 For number 25. 50:40.410 --> 50:44.840 Yeah, that's because I don't think from from NASA, you can tell. 50:51.140 --> 50:51.610 No, no, no. 50:51.740 --> 50:53.090 Asia has no option of letting. 50:55.120 --> 50:55.330 Yes. 50:55.330 --> 50:56.080 He cannot tell it. 50:56.770 --> 50:57.490 Yes, he cannot. 50:58.180 --> 50:58.480 Cannot. 50:58.480 --> 50:59.350 Telnet or ssh? 50:59.350 --> 50:59.620 Both. 51:01.770 --> 51:02.100 Yeah. 51:05.460 --> 51:05.910 You cannot. 51:06.550 --> 51:08.320 It does not have the capability of doing color. 51:08.820 --> 51:12.510 You can tell from the essay, you cannot tell it from the devices. 51:13.590 --> 51:17.730 It is working, but the essay by itself is not able to send packets to Port 23. 51:19.830 --> 51:19.990 Right. 51:20.100 --> 51:21.660 That's how you're not able to go there. 51:21.690 --> 51:23.190 You're not able to send packets here. 51:23.820 --> 51:24.810 Nothing is received here. 51:25.600 --> 51:25.770 Right. 51:25.800 --> 51:27.460 But it's working through. 51:27.480 --> 51:29.070 I mean, you're getting this. 51:33.350 --> 51:34.900 I think it should be somewhere here. 51:35.710 --> 51:36.360 You're getting this. 51:36.370 --> 51:39.610 That means packets which are coming to here will be going through the. 51:41.530 --> 51:41.870 Through the. 51:46.640 --> 51:47.500 No, it doesn't show. 51:48.190 --> 51:52.750 Probably there can also be another case because I'm using the host right now. 51:53.020 --> 51:58.570 If you use Windows XP Workstation, you can try from there because I think last time when I tried this 51:58.570 --> 52:04.360 also, I had the same problem, the same exact problem, but then I'm not really sure if I remember 52:04.360 --> 52:05.020 correctly. 52:05.020 --> 52:08.950 I did try to do it from the other Windows XP as a VM. 52:09.630 --> 52:10.410 Works properly. 52:10.880 --> 52:11.010 Right. 52:11.010 --> 52:12.270 So try to do it like that. 52:12.270 --> 52:13.800 But the concept is the same. 52:14.370 --> 52:15.180 You're enabling it. 52:15.180 --> 52:18.150 You're enabling local port, remote port, remote server. 52:18.170 --> 52:19.020 And it works. 52:19.850 --> 52:20.200 Right. 52:20.210 --> 52:22.820 If you wanted to add more, what would you do? 52:26.890 --> 52:27.610 You configure it? 52:27.610 --> 52:28.030 Where? 52:29.860 --> 52:34.560 VPN port forward was what R1? 52:38.000 --> 52:39.170 Then I also said. 52:41.960 --> 52:43.820 To local port. 52:43.820 --> 52:47.720 20,000 1011 11.2. 52:47.750 --> 52:48.140 Yeah. 52:48.860 --> 52:49.340 Same. 52:49.340 --> 52:50.540 The name should be the same. 52:50.720 --> 52:52.010 Yesterday it was the same. 52:52.010 --> 52:52.430 So. 52:53.110 --> 52:53.530 Here. 52:54.100 --> 52:56.710 If I do to the value also, I'll have to change then. 52:56.710 --> 52:57.130 Right? 52:58.610 --> 52:59.990 I'll have to change the value also. 53:00.140 --> 53:00.800 23. 53:02.910 --> 53:05.070 Show Run for Showrun. 53:10.130 --> 53:13.580 Http, but http I can go directly, right? 53:13.670 --> 53:14.120 Yeah. 53:14.120 --> 53:16.190 I can try to change the port and see if. 53:18.050 --> 53:18.800 Put forward. 53:19.140 --> 53:21.740 We'll call this R1 also. 53:22.350 --> 53:28.050 I say Port number 8004 1011 11.1 port. 53:31.000 --> 53:32.140 Both are active service. 53:33.600 --> 53:34.600 Two is not allowed. 53:34.620 --> 53:35.930 My traffic is not allowed to. 53:37.760 --> 53:39.160 Yes, the type. 53:40.070 --> 53:41.390 Yes, that's that's why. 53:42.110 --> 53:47.960 Because I have a web type ACL applied which only allows Http to ten, 11, 11.1. 53:47.960 --> 53:51.710 So that's why my Telnet and all the other devices, everything else is not working right? 53:52.750 --> 53:53.950 So to remove that. 53:53.980 --> 53:54.520 How? 53:56.620 --> 53:57.340 Blue policy. 53:59.340 --> 53:59.880 Admin. 54:00.700 --> 54:01.330 Policy. 54:02.240 --> 54:03.290 Attributes. 54:04.910 --> 54:06.620 Uh, it was in web VPN. 54:07.430 --> 54:08.540 No filter. 54:09.550 --> 54:10.150 Value. 54:12.480 --> 54:13.140 Should work now. 54:17.110 --> 54:17.470 No doubt. 54:31.690 --> 54:31.930 Right. 54:38.390 --> 54:40.280 So now you should see three instead of one. 54:41.750 --> 54:43.560 Three using different port numbers. 54:43.580 --> 54:44.480 Same address. 54:44.480 --> 54:47.970 If you use port number 25,000, you'll go to 1011 11.1. 54:47.990 --> 54:50.300 If you use 20,000, you'll go to dot two. 54:50.330 --> 54:52.970 If you use 8000, you'll go to dot one. 54:52.970 --> 54:54.140 But for port number. 54:57.000 --> 54:57.480 Let's try. 55:05.330 --> 55:08.730 127 0014 25,000. 55:15.080 --> 55:15.520 Can go. 55:16.790 --> 55:19.220 Can't go because he's not acting on his behalf. 55:19.310 --> 55:20.660 He's just forwarding the packet. 55:20.670 --> 55:23.250 Whatever he gets back, he's just forwarding back to you. 55:23.270 --> 55:24.620 He's not doing anything with him. 55:24.620 --> 55:29.530 I mean, he's not checking itself directly right now. 55:29.540 --> 55:34.490 No, no, it is true, the essay, but the packet goes, yeah, the actual whatever you're sending goes 55:34.490 --> 55:35.150 to that server. 55:35.180 --> 55:38.990 They say just forwards it out for you, whatever message that you're sending. 55:40.460 --> 55:42.230 Because of the ACL, the web type ACL. 55:42.680 --> 55:46.400 Last time also I remember I did this, I got stuck, but I couldn't figure out why. 55:47.650 --> 55:48.500 It was devastated. 55:51.220 --> 55:56.410 In the ACL, you can apply all ACL checks that field, write whatever you're signing up. 55:56.560 --> 55:57.760 ACL checks that field. 55:58.460 --> 55:59.810 So it's in the field. 55:59.810 --> 56:01.360 It will allow it if it's not. 56:01.370 --> 56:03.350 You said that only allow this one part. 56:03.380 --> 56:06.560 There was implicit deny which was which was denying everything else. 56:06.600 --> 56:07.250 This one. 56:07.980 --> 56:09.320 Is it related to the other? 56:10.550 --> 56:10.940 No. 56:14.670 --> 56:14.860 Yeah. 56:15.900 --> 56:16.530 To the other. 56:17.340 --> 56:19.260 Whatever you block in the web ACL. 56:19.350 --> 56:21.320 See, right now I'm also going to R2. 56:21.360 --> 56:24.990 Whatever you block in the web, ACL will block everything. 56:30.420 --> 56:31.830 Which is in here. 56:38.970 --> 56:39.480 In here. 56:39.810 --> 56:42.930 It does not affect your layer three. 56:53.330 --> 56:53.640 Yeah. 56:53.700 --> 56:55.610 Thing too. 56:56.030 --> 56:56.960 They say will work. 56:58.670 --> 57:00.890 This will mean you're blocked. 57:01.730 --> 57:02.720 Let's say you're blocked. 57:05.330 --> 57:05.660 With. 57:07.560 --> 57:08.070 Two our. 57:11.720 --> 57:12.020 You see? 57:12.020 --> 57:13.280 You're blocking it here. 57:15.630 --> 57:17.220 Pain cannot be done from here to here. 57:18.630 --> 57:20.800 You cannot ping from this device to the server. 57:21.970 --> 57:26.110 There is no way of doing that because ping cannot be encapsulated here, right? 57:26.410 --> 57:29.770 The only protocols that can be encapsulated is, first of all, Http. 57:29.980 --> 57:31.870 Then you can enhance it with thin client. 57:31.900 --> 57:37.630 The maximum that you could do go to a certain other port numbers, Smtp or all those devices you could 57:37.630 --> 57:38.380 go through. 57:39.130 --> 57:42.820 Ping will never go because your requests are here. 57:42.850 --> 57:44.920 Your web type ACL applies here. 57:45.720 --> 57:47.040 To this traffic only. 57:47.040 --> 57:48.240 It does not apply here. 57:48.240 --> 57:49.140 It does not apply here. 57:49.140 --> 57:50.070 It does not apply here. 57:50.520 --> 57:56.310 The problem was I had applied the web type ACL here saying 10.11 point, 11.1 should be allowed for. 57:56.730 --> 57:57.570 For what? 57:57.660 --> 57:58.860 Http access only. 57:58.860 --> 58:03.330 So now when I was sending my telnet traffic through, it was getting blocked because web type ACL was 58:03.330 --> 58:03.690 there. 58:04.170 --> 58:06.410 My Telnet, my all the other traffic was getting blocked. 58:09.740 --> 58:10.010 Right. 58:12.450 --> 58:12.900 Good, right? 58:15.440 --> 58:16.700 Let me try one more thing. 58:20.720 --> 58:23.270 127 001 code number. 58:29.590 --> 58:30.100 Going to. 58:31.170 --> 58:39.080 Don't, right because 127 001 add port number 8000 will take me to ten 1111 one port 80 through https 58:39.090 --> 58:39.510 session. 58:40.730 --> 58:41.660 You should see it with. 58:48.080 --> 58:48.320 Yeah. 58:52.410 --> 58:52.580 Yeah. 58:52.620 --> 58:53.400 Packets going in. 58:59.870 --> 59:00.270 How? 59:00.290 --> 59:01.220 What will you do? 59:01.250 --> 59:02.090 What advice will you. 59:04.210 --> 59:04.720 This one. 59:06.110 --> 59:07.580 What address will you use to? 59:11.400 --> 59:13.650 How am I sending right now this traffic through? 59:15.250 --> 59:16.270 How is this telnet working? 59:17.580 --> 59:20.760 There's information how I'm sending it to the USA. 59:23.390 --> 59:25.080 Who is guiding the traffic through the tunnel? 59:27.140 --> 59:29.150 Not disassemble your Java application. 59:31.390 --> 59:32.590 The Java application, right? 59:34.140 --> 59:35.520 Which is based on port numbers. 59:37.150 --> 59:42.670 When it sees you, you're going to win 27 001 at port number 25,000. 59:42.700 --> 59:43.600 It guides you through the. 59:44.750 --> 59:47.330 When it sees you're going anywhere here, it guides you through the tunnel. 59:47.570 --> 59:49.520 ICMP has no port numbers. 59:49.550 --> 59:51.290 It's not part of TCP. 59:52.430 --> 59:53.330 Not part of TCP. 59:53.360 --> 59:54.530 It will not be guided through the. 59:57.160 --> 59:57.460 Right. 59:59.160 --> 59:59.640 Thin client. 1:00:01.440 --> 1:00:05.630 This is think like the last thing that you're left with is thick client. 1:00:05.870 --> 1:00:07.910 Now what does thick client give you? 1:00:09.530 --> 1:00:12.890 The client gives you the capability of actually. 1:00:14.440 --> 1:00:15.550 Looking at this PC. 1:00:18.000 --> 1:00:22.800 Looking at this PC as if it was an easy VPN client just like before. 1:00:23.670 --> 1:00:25.680 So it will have an adapter now. 1:00:28.080 --> 1:00:30.390 You will push down an IP address to it. 1:00:32.580 --> 1:00:34.950 To that adapter, you will push down an IP address. 1:00:36.420 --> 1:00:36.890 Okay. 1:00:36.900 --> 1:00:40.020 Once it has an IP address, you will also do what? 1:00:41.380 --> 1:00:44.440 You will push an IP, then you will do encapsulation. 1:00:44.440 --> 1:00:45.850 Encapsulation from what? 1:00:46.000 --> 1:00:48.040 It will be a source based tunnel again. 1:00:48.520 --> 1:00:54.160 So let's say I push down 192 168. ten dot ten. 1:00:54.820 --> 1:00:58.450 Whatever sourced on this device from 10.10 will go through the tunnel. 1:00:59.600 --> 1:01:00.020 To. 1:01:01.140 --> 1:01:01.410 The. 1:01:03.470 --> 1:01:09.590 Get capsulated on the assay, but when it gets capsulated full layer three, information will be there. 1:01:20.930 --> 1:01:23.180 So your actual packet will look like this here. 1:01:23.540 --> 1:01:28.940 The encapsulation will start not from layer four onwards, it'll start from layer three onwards. 1:01:29.390 --> 1:01:30.050 SSL. 1:01:31.440 --> 1:01:36.990 And then you will get your source port x x x destination Port 443. 1:01:39.780 --> 1:01:40.800 Sources. 1:01:40.920 --> 1:01:43.350 35.25 destination is. 1:01:44.780 --> 1:01:45.500 30.10. 1:01:46.620 --> 1:01:50.520 So you're routing on the public network will be done based on what this red part? 1:01:51.030 --> 1:01:59.910 The red header, it encapsulates where on the RSA, when RSA opens it, then it finds the actual header. 1:01:59.940 --> 1:02:06.780 The actual header full complete header completely from layer three onwards to layer seven. 1:02:07.930 --> 1:02:08.980 Full information. 1:02:10.120 --> 1:02:12.850 Until now, the only thing that you were encapsulating was what? 1:02:12.880 --> 1:02:13.660 Layer seven. 1:02:14.230 --> 1:02:18.760 Now you will be encapsulating starting from layer three onwards to layer seven. 1:02:18.760 --> 1:02:19.660 Complete information. 1:02:21.130 --> 1:02:23.110 Just like IPsec would do here. 1:02:23.110 --> 1:02:24.310 It's just that it'll be more. 1:02:24.310 --> 1:02:25.120 More overhead. 1:02:27.850 --> 1:02:28.570 Any connect. 1:02:29.710 --> 1:02:30.280 Any connected. 1:02:33.150 --> 1:02:34.470 AnyConnect SSL VPN. 1:02:35.250 --> 1:02:37.470 You have an AnyConnect client for this? 1:02:38.900 --> 1:02:41.340 Two things that you would require to implement this. 1:02:41.360 --> 1:02:42.920 First of all, you need to implement. 1:02:42.920 --> 1:02:44.750 You need to enable AnyConnect. 1:02:46.360 --> 1:02:47.710 We need to enable any Kinect. 1:02:47.740 --> 1:02:51.370 Also, at the same time, you need to push down and address. 1:02:52.620 --> 1:02:52.990 I think. 1:02:54.780 --> 1:02:56.040 Remote VPN access. 1:02:57.840 --> 1:02:59.340 The encryption will still be SSL. 1:03:00.900 --> 1:03:05.430 See now what will happen is because now you have you have an IP. 1:03:05.640 --> 1:03:08.310 Until now, the client did not have an IP address. 1:03:08.460 --> 1:03:09.570 That was the problem. 1:03:09.570 --> 1:03:11.250 It only had a public address. 1:03:11.430 --> 1:03:14.880 The communication that the client was doing from was only a public address. 1:03:14.880 --> 1:03:20.160 Now what will happen is that the server will push down an address to the client, to an adapter of the 1:03:20.160 --> 1:03:20.790 client. 1:03:22.830 --> 1:03:25.380 Write anything source from that adapter now. 1:03:30.550 --> 1:03:33.970 Going to, let's say eight, not eight. 1:03:35.950 --> 1:03:39.700 Ten, 11, 11.1 going to any protocol. 1:03:39.700 --> 1:03:41.500 Now, the protocol does not matter now. 1:03:41.500 --> 1:03:44.440 It can be ICMP now it can be UDP, now it can be TCP. 1:03:45.160 --> 1:03:51.460 Anything which is sourced from this address at layer three will be encapsulated using what not ESP, 1:03:52.210 --> 1:03:54.640 but TLS or SSL. 1:03:55.910 --> 1:03:56.570 One of the two. 1:03:59.350 --> 1:04:02.680 Easy VPN users using ESP, this will be using SSL. 1:04:06.100 --> 1:04:06.640 This. 1:04:07.380 --> 1:04:08.080 There is no Ike. 1:04:08.410 --> 1:04:10.330 There's no Ike SSL handshake. 1:04:11.630 --> 1:04:12.200 Just as a. 1:04:15.990 --> 1:04:16.620 Not now. 1:04:17.460 --> 1:04:18.100 Client less. 1:04:18.240 --> 1:04:20.270 Thin client works on layer seven. 1:04:21.350 --> 1:04:21.980 Take client. 1:04:21.980 --> 1:04:22.790 That is the difference. 1:04:22.790 --> 1:04:24.160 It is just like your easy VPN. 1:04:26.480 --> 1:04:27.850 It three. 1:04:29.950 --> 1:04:30.280 Where? 1:04:31.320 --> 1:04:34.230 Now it uses SSL that was using IPsec. 1:04:34.230 --> 1:04:42.780 So now from 35 to 20 5 to 30 dot ten, you'll be using what so your packets will route based on. 1:04:43.790 --> 1:04:46.370 This part of the header, the ones we did yesterday. 1:04:48.300 --> 1:04:53.870 So it was using TLS was using TLS, but only for the Layer seven. 1:04:54.780 --> 1:04:56.160 There it was the same thing. 1:04:56.160 --> 1:05:01.260 But here after the TLS yesterday, it was just one packet which said Http. 1:05:01.830 --> 1:05:04.170 I want to go to 1011 11.1. 1:05:05.640 --> 1:05:06.510 From the other side. 1:05:06.510 --> 1:05:08.970 It was the same, only the encapsulation part. 1:05:09.000 --> 1:05:11.650 It could only encapsulate Http packets. 1:05:11.670 --> 1:05:15.780 Then we gave it a thin client where we could also do telnet. 1:05:18.140 --> 1:05:22.010 We could also do Smtp based on the port number Java application helped us with that. 1:05:22.040 --> 1:05:28.220 Now what we have done is we have moved on to the next level where now we can also add layer three headers 1:05:28.220 --> 1:05:28.520 in there. 1:05:29.120 --> 1:05:31.490 But for that you would require layer three address. 1:05:31.520 --> 1:05:33.200 That's why you require a thick client. 1:05:33.410 --> 1:05:35.450 The thick client receives that address. 1:05:35.480 --> 1:05:39.440 Now, whatever source from that thick client will be encapsulated. 1:05:39.440 --> 1:05:41.630 The outside header is still the same as yesterday. 1:05:44.820 --> 1:05:47.130 That recognition from. 1:05:49.340 --> 1:05:49.740 Not yet. 1:05:50.370 --> 1:05:51.150 Someone took it. 1:05:54.000 --> 1:05:55.230 Yes, yes. 1:05:55.260 --> 1:05:57.530 The outside header until this part is the same. 1:05:57.540 --> 1:05:58.200 It's just that. 1:05:58.200 --> 1:05:59.970 What part was it encapsulating before? 1:06:00.000 --> 1:06:03.930 What part was it protecting before and what is it protecting now? 1:06:03.930 --> 1:06:04.920 That is the difference. 1:06:08.810 --> 1:06:09.290 Yes. 1:06:09.290 --> 1:06:10.940 Now from layer three onwards. 1:06:13.410 --> 1:06:19.560 Right now it's exactly like your VPN, but the only difference is in VPN, you didn't have this part, 1:06:19.560 --> 1:06:21.900 so it was IP and then straight ISP. 1:06:22.020 --> 1:06:23.670 Here you also have port numbers. 1:06:23.670 --> 1:06:24.510 It is helpful. 1:06:24.510 --> 1:06:24.870 Why? 1:06:24.900 --> 1:06:26.310 Because you do not need that. 1:06:28.290 --> 1:06:30.440 So 4500 problem will not be there. 1:06:30.450 --> 1:06:32.490 You have port numbers to play around with. 1:06:33.000 --> 1:06:34.890 So knotty problem is also solved. 1:06:35.220 --> 1:06:41.490 Yes, a little overhead because one extra header, but that's okay when you're using thick client. 1:06:44.340 --> 1:06:44.730 Also on. 1:06:49.000 --> 1:06:50.830 It will be from the AC to the PC. 1:06:52.490 --> 1:06:53.990 He is to the PC. 1:06:54.020 --> 1:06:56.810 Your PC to the PC. 1:06:57.860 --> 1:06:58.850 The the. 1:06:58.880 --> 1:07:00.020 You mean the traffic? 1:07:00.170 --> 1:07:00.860 No, the traffic. 1:07:01.640 --> 1:07:02.960 The VPN termination. 1:07:02.990 --> 1:07:09.050 The VPN terminates on the AC, but your actual traffic is through the AC going to 10.11 point. 1:07:09.050 --> 1:07:09.920 11.1. 1:07:10.820 --> 1:07:12.400 The actual traffic goes through. 1:07:12.410 --> 1:07:18.350 Now it's not AC will not work on behalf of you because earlier the AC did not know anything. 1:07:18.350 --> 1:07:19.610 It just received a request. 1:07:19.640 --> 1:07:20.960 Now he's getting the full header. 1:07:20.960 --> 1:07:22.010 He doesn't need to do anything. 1:07:22.010 --> 1:07:23.990 He just checks routes and moves it forward. 1:07:25.570 --> 1:07:27.100 When the USA opens this right? 1:07:27.520 --> 1:07:29.220 When he gets this, what does he find? 1:07:29.230 --> 1:07:29.980 Another header? 1:07:30.010 --> 1:07:30.970 A full header. 1:07:31.180 --> 1:07:35.980 So it just does routing sees where this guy is forwards this packet to that guy. 1:07:37.140 --> 1:07:39.330 R3 will open it up, see what's inside. 1:07:39.360 --> 1:07:41.730 Check everything properly and then reply back. 1:07:43.990 --> 1:07:44.160 Then. 1:07:46.320 --> 1:07:50.300 In this case, Atias will play L3. 1:07:50.400 --> 1:07:52.470 You can apply L3 skills if you want. 1:07:59.680 --> 1:08:01.810 Based on the source port number which the guide uses. 1:08:02.380 --> 1:08:04.810 All the devices come up with the source port number, right. 1:08:04.840 --> 1:08:06.970 This guy will have its own source port number. 1:08:07.000 --> 1:08:08.650 The other guy will have its own source port. 1:08:11.750 --> 1:08:13.260 Then one of the connection is dropped. 1:08:13.280 --> 1:08:14.780 The one which comes later is dropped. 1:08:14.780 --> 1:08:16.010 So he has to reconnect again. 1:08:17.000 --> 1:08:17.300 There's no. 1:08:18.940 --> 1:08:21.670 That's it doesn't remember IP addresses. 1:08:21.670 --> 1:08:23.290 He doesn't know the IP addresses. 1:08:23.560 --> 1:08:25.000 It just knows the public addresses. 1:08:27.510 --> 1:08:27.770 Right. 1:08:28.870 --> 1:08:31.930 They obviously will keep track of both. 1:08:32.980 --> 1:08:35.770 35, because that's how it will remember, right? 1:08:36.550 --> 1:08:40.690 That's how we'll remember that this number came to send the packet back to him. 1:08:41.320 --> 1:08:44.080 But the main information will be kept based on the port numbers. 1:08:44.530 --> 1:08:47.530 He linked the port numbers to what port numbers he's using to go up. 1:08:48.700 --> 1:08:49.480 As the source code. 1:08:51.120 --> 1:08:51.570 Okay. 1:08:54.780 --> 1:09:00.150 License definitely doesn't let anything go without license limitations. 1:09:05.470 --> 1:09:09.490 What I think starting from 5505. 1:09:09.520 --> 1:09:09.970 Yes. 1:09:12.650 --> 1:09:14.510 AnyConnect is now. 1:09:14.510 --> 1:09:21.180 I can have 5000 peers right now at one one time at this license again. 1:09:21.200 --> 1:09:22.910 The other features are disabled. 1:09:23.330 --> 1:09:24.110 You have to enable them. 1:09:25.190 --> 1:09:27.070 Okay with license office. 1:09:28.300 --> 1:09:30.910 So this has A5520 license. 1:09:32.460 --> 1:09:32.640 Then. 1:09:36.330 --> 1:09:36.740 Zero five. 1:09:36.760 --> 1:09:37.140 We cannot. 1:09:40.100 --> 1:09:42.560 I don't think anyone uses 5505 anymore. 1:09:43.700 --> 1:09:44.360 I don't think anyone. 1:09:44.630 --> 1:09:48.400 I think these ones are also 5512X which you see. 1:09:48.410 --> 1:09:48.740 Yeah. 1:09:52.980 --> 1:09:53.280 This. 1:09:53.520 --> 1:10:04.170 No, you can add modules, You can add IP module to it, you can add your CSS, CSS, you can add anti-malware. 1:10:04.200 --> 1:10:06.570 Now you can also add firepower settings. 1:10:08.120 --> 1:10:10.280 You can add the new firepower power. 1:10:10.340 --> 1:10:14.420 It works on the x-series of the previous which A6. 1:10:14.510 --> 1:10:20.270 You can all you have to do is just upgrade the software and you have to download that anti-malware device. 1:10:21.190 --> 1:10:21.790 On them. 1:10:21.790 --> 1:10:26.740 They will become firepower active, so they'll always keep on checking with the database. 1:10:26.740 --> 1:10:29.650 All the traffic which is coming in, it will be checked for malware. 1:10:30.940 --> 1:10:31.870 With the database. 1:10:31.870 --> 1:10:35.230 So they'll be these ones that firepower. 1:10:36.980 --> 1:10:41.450 There's the new device also, but these ones can also be upgraded to the firepower. 1:10:46.930 --> 1:10:47.440 So. 1:10:48.570 --> 1:10:49.680 What do I want to do? 1:10:50.980 --> 1:10:51.790 And he connect. 1:10:52.090 --> 1:10:56.440 First of all, what you have to do is if you enable it right, it will tell you that there is no image 1:10:56.440 --> 1:10:57.130 for any connect. 1:10:57.580 --> 1:10:59.260 You don't enable it first. 1:10:59.290 --> 1:11:00.550 You give him the image. 1:11:01.120 --> 1:11:02.470 It's in the flash. 1:11:03.510 --> 1:11:04.560 Wearing the flash. 1:11:07.100 --> 1:11:07.490 Anything. 1:11:08.150 --> 1:11:09.050 You point to the image. 1:11:11.720 --> 1:11:12.920 First you point to the image. 1:11:14.180 --> 1:11:14.750 Correct. 1:11:14.780 --> 1:11:17.450 Once you point to the image, then you say what AnyConnect enabled. 1:11:17.570 --> 1:11:18.560 Two things. 1:11:20.910 --> 1:11:22.680 It's loading it in the memory now. 1:11:28.810 --> 1:11:30.440 AnyConnect enabled. 1:11:30.940 --> 1:11:31.330 That's it. 1:11:32.280 --> 1:11:35.230 So under the VPN, first you point to the image. 1:11:35.250 --> 1:11:37.310 Then you enable it again. 1:11:37.320 --> 1:11:39.330 If I use it right now, I will not see it. 1:11:39.360 --> 1:11:39.900 Why? 1:11:42.240 --> 1:11:45.240 Because I have to call it where in my policy. 1:11:51.470 --> 1:11:54.080 IPL, but you will see it after that. 1:11:54.080 --> 1:11:55.010 The IP works. 1:11:55.040 --> 1:11:56.260 You should see it there. 1:11:57.910 --> 1:11:59.100 That's why I don't like the banner. 1:11:59.110 --> 1:12:00.250 It's one added step. 1:12:00.460 --> 1:12:03.670 You do see it any connected, but it will not work for you. 1:12:07.870 --> 1:12:09.910 You do see it here, but it will not work for you. 1:12:09.940 --> 1:12:10.450 Why? 1:12:10.480 --> 1:12:12.340 Because it's not applied to your policy. 1:12:16.310 --> 1:12:18.860 This is your AnyConnect downloader. 1:12:19.280 --> 1:12:20.900 So what it does is it downloads it. 1:12:20.900 --> 1:12:23.230 The thing is, in my PC, it was already downloaded. 1:12:23.240 --> 1:12:27.710 If it was not for you, it would actually download the whole thing, which is the same process. 1:12:27.740 --> 1:12:33.950 Now he says that the connection entry it does not your RSA right now is not supporting it for your username 1:12:33.950 --> 1:12:36.680 and password because I've not applied the policy. 1:12:36.710 --> 1:12:39.020 Two things I need to do apply the policy also. 1:12:39.050 --> 1:12:39.380 What? 1:12:40.710 --> 1:12:41.910 Push down an address. 1:12:43.620 --> 1:12:46.210 Who's down an address from the server to the client. 1:12:46.230 --> 1:12:47.280 How do I do that? 1:12:47.520 --> 1:12:49.530 IP, local pool. 1:12:49.530 --> 1:12:50.580 Create that pool. 1:12:51.390 --> 1:12:52.320 I'll call it. 1:12:52.890 --> 1:12:53.880 Let's call it just pool. 1:12:55.050 --> 1:12:59.880 The address is 192168, 1010 to the range of. 1:13:01.390 --> 1:13:05.200 So 21922168.1. 20. 1:13:05.920 --> 1:13:10.420 Enter the mask by default is slash 24 because it is 192168. 1:13:11.850 --> 1:13:13.650 And where do I call this? 1:13:14.410 --> 1:13:17.820 Group policy admin. 1:13:19.000 --> 1:13:19.570 Policy. 1:13:21.480 --> 1:13:22.520 Attributes. 1:13:22.530 --> 1:13:24.330 It's called address pools. 1:13:24.660 --> 1:13:28.620 Value is also. 1:13:31.120 --> 1:13:32.410 VPN tunnel protocol. 1:13:32.680 --> 1:13:35.500 By default, it's only SSL client less. 1:13:38.240 --> 1:13:41.270 The tunnel protocol by default is client less. 1:13:41.300 --> 1:13:42.770 You also want to make it work. 1:13:47.340 --> 1:13:50.520 This is enabling it on that policy. 1:13:52.490 --> 1:13:57.500 By default, it only allows client connections, which would include your include your thin client, 1:13:57.500 --> 1:13:59.690 because that's just a Java applet. 1:14:00.900 --> 1:14:01.290 Here. 1:14:01.290 --> 1:14:05.310 You're saying that Clientless is allowed also with client is also. 1:14:07.830 --> 1:14:14.520 Also make sure when you're doing this, make sure that the adapter that you have has a default gateway 1:14:14.520 --> 1:14:15.000 as well. 1:14:17.180 --> 1:14:18.520 Should have a default gateway. 1:14:18.530 --> 1:14:20.300 Otherwise it causes problems. 1:14:25.090 --> 1:14:27.820 151 .35.3 is the. 1:14:32.660 --> 1:14:35.750 Okay, let's try and connect. 1:14:36.090 --> 1:14:37.460 Now you don't have to connect. 1:14:40.270 --> 1:14:41.920 Who's eating up my processor. 1:14:50.470 --> 1:14:50.920 Anyways. 1:14:51.670 --> 1:14:52.450 Still have enough. 1:14:53.290 --> 1:14:54.460 So I log out. 1:14:55.900 --> 1:14:57.010 Log back in again. 1:15:01.730 --> 1:15:04.010 Cisco continue. 1:15:05.690 --> 1:15:06.680 Kinect is here, right? 1:15:07.490 --> 1:15:08.420 So I'll start it. 1:15:10.920 --> 1:15:11.160 It. 1:15:12.900 --> 1:15:14.370 It gives you the certificate. 1:15:14.790 --> 1:15:16.080 What certificate is this? 1:15:16.080 --> 1:15:18.330 The same certificate that you received earlier. 1:15:18.340 --> 1:15:19.470 So I'll say yes. 1:15:20.330 --> 1:15:22.490 Please wait while the connection is being established. 1:15:23.510 --> 1:15:25.660 Now it's time to connect your connect. 1:15:25.670 --> 1:15:26.600 You can see here. 1:15:28.280 --> 1:15:29.560 It is trying to connect right now. 1:15:30.300 --> 1:15:32.160 With the SSL gateway. 1:15:33.560 --> 1:15:36.740 So all the information, the pool and everything will be pushed down from there. 1:15:37.520 --> 1:15:39.470 You'll add it here and then. 1:15:40.720 --> 1:15:43.480 Will work through VPN has been. 1:15:45.280 --> 1:15:45.940 Connected. 1:15:48.090 --> 1:15:49.390 The VPN now is connected. 1:15:50.350 --> 1:15:51.790 Before I go there, I want to check. 1:15:51.820 --> 1:15:52.780 See this? 1:15:53.740 --> 1:15:58.000 Is your VPN adapter on the client? 1:15:58.030 --> 1:16:00.220 What address do you think this will have received? 1:16:03.210 --> 1:16:05.460 192 168 .9. ten. 1:16:06.060 --> 1:16:06.870 Receive that IP. 1:16:06.990 --> 1:16:09.030 Now again, the problem is the same. 1:16:09.030 --> 1:16:09.870 What problem? 1:16:09.870 --> 1:16:14.130 From here, anything that is sourced will always go there. 1:16:15.330 --> 1:16:17.790 That's why you see, I lost my internet connection. 1:16:22.070 --> 1:16:23.480 Because now everything is going through. 1:16:23.480 --> 1:16:23.750 Where? 1:16:24.920 --> 1:16:26.420 Through the tunnel. 1:16:26.540 --> 1:16:30.920 So if I want to do this right now, can I ping ten, 11, 11.1. 1:16:32.240 --> 1:16:33.020 I cannot. 1:16:33.710 --> 1:16:34.300 Why? 1:16:34.340 --> 1:16:35.330 Why can I not? 1:16:40.040 --> 1:16:40.700 Check this out. 1:16:41.030 --> 1:16:44.030 Let me go to the essay and do a show out. 1:16:44.870 --> 1:16:45.570 Check this out. 1:16:45.590 --> 1:16:46.830 Reverse route injection. 1:16:46.850 --> 1:16:47.870 Automatically done. 1:16:49.340 --> 1:16:52.670 If I want to ping from here 192 168 .1. ten. 1:16:52.700 --> 1:16:53.780 I can go. 1:16:54.380 --> 1:16:57.280 The assay now knows what the other guy's IP is. 1:16:57.290 --> 1:16:59.120 It's exactly like easy VPN. 1:16:59.270 --> 1:17:01.310 It knows exactly what that guy's IP is. 1:17:01.310 --> 1:17:02.960 It can go and ping that guy. 1:17:03.710 --> 1:17:06.290 And the essay can also paint ten, 11 11.1. 1:17:06.320 --> 1:17:09.440 Then why is this not able to go? 1:17:10.410 --> 1:17:14.010 They're not using 192. 1:17:15.700 --> 1:17:16.510 It is so sweet. 1:17:16.510 --> 1:17:16.780 So. 1:17:17.960 --> 1:17:19.770 You're not using the 192 when you. 1:17:20.610 --> 1:17:22.770 I think from that I am using the. 1:17:22.770 --> 1:17:24.120 No, I told you. 1:17:24.120 --> 1:17:24.320 Right. 1:17:24.330 --> 1:17:26.640 Virtual adapters are giving a higher preference. 1:17:28.650 --> 1:17:29.760 Still using 192 one. 1:17:30.630 --> 1:17:31.920 It is going through the tunnel. 1:17:33.620 --> 1:17:34.370 Check this out. 1:17:42.290 --> 1:17:45.530 192, 168, ten, ten, two, ten, 11, 11. 1:17:47.730 --> 1:17:49.870 Anything from outside. 1:17:51.410 --> 1:17:53.090 This is the traffic that is going through. 1:17:55.640 --> 1:17:55.880 Yeah. 1:17:56.600 --> 1:17:57.260 Who can guess? 1:17:58.310 --> 1:17:59.420 It's right in front of you. 1:18:03.850 --> 1:18:04.510 This is traffic. 1:18:04.510 --> 1:18:05.440 From where to where? 1:18:06.460 --> 1:18:07.900 This is traffic from here to here. 1:18:09.930 --> 1:18:11.940 Traffic from here to here is 168. 1:18:11.940 --> 1:18:12.090 Ten. 1:18:12.260 --> 1:18:12.490 Ten. 1:18:14.520 --> 1:18:16.230 I did not have a default route. 1:18:18.240 --> 1:18:18.930 Do you remember? 1:18:19.860 --> 1:18:23.130 I did not have a default route until now. 1:18:23.160 --> 1:18:23.880 When? 1:18:24.030 --> 1:18:27.720 When the PC when these routers were replying, they were replying to whom? 1:18:29.600 --> 1:18:30.110 To the. 1:18:31.990 --> 1:18:33.400 Now they are applying to whom? 1:18:33.820 --> 1:18:37.360 To the actual guy, because his private network is also coming here. 1:18:37.460 --> 1:18:40.570 Now, C1 is a part of my company here. 1:18:43.380 --> 1:18:45.950 Having the address of 192168 ten. 1:18:46.650 --> 1:18:50.460 All I have to do to make this work is go to R1. 1:18:54.580 --> 1:18:54.940 Add. 1:18:56.180 --> 1:18:56.990 A default route. 1:18:57.200 --> 1:18:58.910 Or I could just add a route to. 1:19:04.130 --> 1:19:05.100 This is much easier. 1:19:05.120 --> 1:19:07.860 Much better because this is a critical server. 1:19:07.880 --> 1:19:09.710 I only want to receive traffic from. 1:19:10.810 --> 1:19:12.130 My internal addresses. 1:19:16.830 --> 1:19:17.430 I beat out. 1:19:23.500 --> 1:19:24.460 Let's try now. 1:19:28.170 --> 1:19:30.100 I can go to ten, 11 11.1. 1:19:30.210 --> 1:19:32.250 I could go to ten, 11 11.2. 1:19:32.940 --> 1:19:34.020 I could tell it. 1:19:36.520 --> 1:19:37.480 To any device. 1:19:39.370 --> 1:19:40.120 Full control. 1:19:41.320 --> 1:19:41.680 Ten. 1:19:41.680 --> 1:19:42.100 11. 1:19:42.100 --> 1:19:42.880 11.1. 1:19:45.610 --> 1:19:47.490 Because everything is going through the tunnel now. 1:19:47.500 --> 1:19:52.390 Virtual right virtual adapter, every kind of connection that is coming out from here, from this PC 1:19:52.390 --> 1:19:56.590 now going through the tunnel and encapsulating where on the PC. 1:19:58.750 --> 1:19:59.260 On this. 1:19:59.500 --> 1:20:01.870 I want to check one thing I never really. 1:20:03.940 --> 1:20:04.420 Split them. 1:20:07.390 --> 1:20:08.350 That's what we'll do now. 1:20:09.630 --> 1:20:10.440 That's the next thing. 1:20:10.890 --> 1:20:11.550 And now I need. 1:20:11.550 --> 1:20:11.770 What? 1:20:11.790 --> 1:20:12.910 Internet connection, right? 1:20:15.240 --> 1:20:15.660 We're done. 1:20:17.200 --> 1:20:19.300 I want to see the connection table here for this. 1:20:20.550 --> 1:20:20.820 As it. 1:20:21.090 --> 1:20:21.900 Yes. 1:20:22.560 --> 1:20:24.250 Now the connection table will be there. 1:20:24.270 --> 1:20:24.480 Why? 1:20:24.510 --> 1:20:29.910 Because now you have an IP address, a source IP, a destination IP, a source port number. 1:20:29.910 --> 1:20:31.080 A destination port number. 1:20:31.110 --> 1:20:33.570 The AC now is not acting as a proxy at all. 1:20:36.450 --> 1:20:37.590 Outside is. 1:20:37.590 --> 1:20:39.240 Yeah, it's coming from the outside. 1:20:40.500 --> 1:20:42.480 And inside is ten, 11, 11.1. 1:20:43.750 --> 1:20:47.650 Here it is again coming through the VPN. 1:20:48.340 --> 1:20:52.190 Here it doesn't matter if you disable that command noses up. 1:20:54.450 --> 1:20:55.130 We'd be in. 1:20:55.320 --> 1:20:57.240 What does it show? 1:20:58.840 --> 1:21:00.400 All systems. 1:21:01.870 --> 1:21:03.040 What's the sub connection? 1:21:03.790 --> 1:21:06.250 Permit if you do this. 1:21:12.120 --> 1:21:13.190 Then you try to do it again. 1:21:13.200 --> 1:21:14.220 What was your question? 1:21:18.820 --> 1:21:19.690 I will not go. 1:21:21.070 --> 1:21:23.020 You said if it's an encrypted traffic. 1:21:23.430 --> 1:21:24.150 You wouldn't even. 1:21:25.240 --> 1:21:25.540 No. 1:21:26.020 --> 1:21:26.380 Here. 1:21:26.380 --> 1:21:26.590 Also. 1:21:26.590 --> 1:21:27.490 That's why you don't need it. 1:21:27.490 --> 1:21:28.600 But I disabled it. 1:21:28.660 --> 1:21:28.980 See? 1:21:29.200 --> 1:21:31.940 I removed it now to allow it you require. 1:21:34.370 --> 1:21:35.420 Access list. 1:21:35.600 --> 1:21:45.230 IAAF permit IP from source to 192 168 10.10 to rescue 1011 11.1. 1:21:45.230 --> 1:21:47.660 Let's allow only one so we can see the other one is not working. 1:21:48.470 --> 1:21:51.200 ET and in interface. 1:21:52.620 --> 1:21:58.380 Now you'll see that now you should be able to pick two one should not go to. 1:21:59.910 --> 1:22:01.160 Because I disabled that command. 1:22:01.170 --> 1:22:01.740 What command? 1:22:02.700 --> 1:22:04.860 Sysop connection permit. 1:22:07.850 --> 1:22:08.660 What does it mean? 1:22:08.670 --> 1:22:10.440 It means that do not apply. 1:22:11.450 --> 1:22:16.460 Any conditions, any access list, any security checks to the traffic that is coming through a VPN. 1:22:18.750 --> 1:22:20.190 Source Hub connection permitted? 1:22:23.020 --> 1:22:23.410 Okay. 1:22:24.380 --> 1:22:25.160 You understand Now. 1:22:25.160 --> 1:22:29.630 Now, every kind of traffic does not matter what protocol does not matter. 1:22:29.630 --> 1:22:33.830 Whatever you want to send, which is above layer three, will go through the tunnel. 1:22:35.610 --> 1:22:37.850 Do R1 or R2 or wherever you want to go. 1:22:37.860 --> 1:22:39.000 Split tunnel, right. 1:22:39.690 --> 1:22:41.430 Let's create an access list. 1:22:42.970 --> 1:22:49.540 I'll call it split permit IP from host reverse is the same thing. 1:22:49.540 --> 1:22:54.240 Reverse from host ten, 11 11.1 to any. 1:22:57.130 --> 1:22:57.610 Okay. 1:22:57.640 --> 1:22:58.780 How do I apply it? 1:22:59.900 --> 1:23:03.650 Group policy admin. 1:23:04.510 --> 1:23:05.080 Policy. 1:23:06.360 --> 1:23:07.290 Attributes. 1:23:09.690 --> 1:23:11.910 Attributes, it's called. 1:23:14.230 --> 1:23:14.830 Split. 1:23:14.860 --> 1:23:16.630 Now you have two things. 1:23:16.810 --> 1:23:19.990 Tunnel policy and network list. 1:23:20.380 --> 1:23:23.440 Tunnel policy by default is what? 1:23:26.480 --> 1:23:26.840 Tunnel. 1:23:26.840 --> 1:23:29.600 Everything means everything should go through the tunnel. 1:23:29.600 --> 1:23:30.890 That is the default policy. 1:23:30.920 --> 1:23:32.030 You can also check it. 1:23:32.030 --> 1:23:33.470 We did not check this part. 1:23:34.010 --> 1:23:37.700 If you open, your advanced parameters will show you what you're using right now. 1:23:38.860 --> 1:23:40.330 This is your easy VPN type. 1:23:41.090 --> 1:23:41.490 Right. 1:23:41.500 --> 1:23:48.960 So route details, everything is going through the tunnel statistics mode is what all traffic. 1:23:48.970 --> 1:23:51.130 It has been up since eight minutes now. 1:23:51.160 --> 1:23:54.880 The cipher that you're using is RSA and RC for Sha. 1:23:55.240 --> 1:23:56.860 RSA was used for exchange. 1:23:56.890 --> 1:24:00.280 RC four is used for encryption, Sha is used for authentication. 1:24:01.320 --> 1:24:06.300 Then you have all of Fips mode is just you don't need that right now. 1:24:06.330 --> 1:24:09.450 How many frames, how many frames have been sent and received? 1:24:09.540 --> 1:24:10.230 Right. 1:24:10.320 --> 1:24:11.490 Control packets. 1:24:11.490 --> 1:24:13.650 How many control packets have gone through. 1:24:13.680 --> 1:24:14.940 You have certain other things. 1:24:14.940 --> 1:24:15.990 Message history. 1:24:16.020 --> 1:24:17.250 It was established. 1:24:17.280 --> 1:24:17.850 That's it. 1:24:17.850 --> 1:24:20.700 The main important part is usually this. 1:24:20.740 --> 1:24:22.400 This is your readable stuff. 1:24:22.410 --> 1:24:24.090 So now what I'll do is. 1:24:24.300 --> 1:24:25.080 Tunnel policy. 1:24:25.080 --> 1:24:27.780 I'll change to what tunnel specified. 1:24:27.930 --> 1:24:29.640 Whatever is specified by the tunnel. 1:24:29.760 --> 1:24:31.410 And where do I specify it? 1:24:32.580 --> 1:24:35.730 Split tunnel network list value is. 1:24:38.040 --> 1:24:38.430 Split. 1:24:40.160 --> 1:24:40.580 Okay. 1:24:40.820 --> 1:24:41.910 Disconnect and connect. 1:24:41.930 --> 1:24:42.350 Now I know. 1:24:42.890 --> 1:24:45.410 Once you have the client, right, you don't need to log in. 1:24:45.410 --> 1:24:46.130 From where? 1:24:47.590 --> 1:24:50.290 You mean you do not need to go in from the browser? 1:24:50.470 --> 1:24:52.180 You can just go in here and connect. 1:24:54.040 --> 1:24:56.990 Because the browser will only be used for downloading the client. 1:24:57.010 --> 1:24:59.620 Once you have the client, you can just connect up through the client. 1:25:00.660 --> 1:25:01.530 I will connect. 1:25:16.240 --> 1:25:17.650 Except the certificate. 1:25:20.260 --> 1:25:21.790 Earlier the certificate was shown to you. 1:25:21.790 --> 1:25:22.270 Where? 1:25:23.460 --> 1:25:26.100 Now here again, username and password. 1:25:26.100 --> 1:25:28.000 You had already entered in there. 1:25:28.020 --> 1:25:29.520 Here you need to enter it. 1:25:29.550 --> 1:25:30.780 Username is. 1:25:33.250 --> 1:25:34.090 Except the banner. 1:25:37.070 --> 1:25:38.840 Farming update checks. 1:25:41.470 --> 1:25:42.310 And connected. 1:25:44.130 --> 1:25:44.580 Not yet. 1:25:49.290 --> 1:25:51.630 The updates that it gets is also from the RSA. 1:25:51.630 --> 1:25:58.170 So if you have a newer image which is newer than this, you will get the update from that. 1:25:59.520 --> 1:26:00.390 Go to advanced. 1:26:01.020 --> 1:26:02.400 You should see what you have. 1:26:02.430 --> 1:26:04.350 Mode is split include. 1:26:04.560 --> 1:26:06.390 The details are in the route details. 1:26:06.390 --> 1:26:09.030 You can only go to 1011 11.1. 1:26:09.030 --> 1:26:13.380 So now if you try, my internet connection should be up back up again. 1:26:17.030 --> 1:26:21.530 Back up again right now from here. 1:26:21.860 --> 1:26:26.720 If I bring ten, 11, 11, one going through the tunnel, two is not going through the tunnel. 1:26:26.750 --> 1:26:29.870 The Internet is giving me the message that the host is. 1:26:31.030 --> 1:26:32.380 Now my Internet is also back up. 1:26:36.160 --> 1:26:36.530 Okay. 1:26:36.530 --> 1:26:37.040 Split tunnel. 1:26:37.070 --> 1:26:38.090 The same as before. 1:26:38.840 --> 1:26:39.860 Split tunnel. 1:26:41.960 --> 1:26:42.530 Correct or not? 1:26:44.720 --> 1:26:45.260 That's it, right? 1:26:46.770 --> 1:26:53.730 The last thing that you have to do in this is we call this CSD, Cisco Secure Desktop. 1:26:54.600 --> 1:26:57.840 What Cisco CSD is CSD is just an application. 1:27:00.500 --> 1:27:04.010 Where all it does is. 1:27:04.990 --> 1:27:06.730 You have to enable it here. 1:27:06.800 --> 1:27:07.270 CSD. 1:27:08.440 --> 1:27:10.690 It's an application when you create a tunnel, right? 1:27:10.960 --> 1:27:17.530 The moment you create the tunnel with it, CSD will download here and run through. 1:27:17.920 --> 1:27:19.720 Now what can run through that CSD? 1:27:19.930 --> 1:27:25.750 Now if you have the most updated version of the CSD, you can configure it in a way so it checks. 1:27:26.890 --> 1:27:29.800 Before the tunnel connects, before the guy connects up to the tunnel. 1:27:29.830 --> 1:27:34.030 It will check for certain things like antiviruses anti malware. 1:27:34.060 --> 1:27:36.220 Do you have the most updated version of it? 1:27:37.240 --> 1:27:38.950 And all those different features. 1:27:39.370 --> 1:27:39.940 Right. 1:27:40.360 --> 1:27:43.840 If you don't have those specifications, you will not be able to connect to the tunnel. 1:27:45.670 --> 1:27:46.420 That caused. 1:27:47.890 --> 1:27:48.160 Right. 1:27:48.490 --> 1:27:50.050 The way you do it is the same. 1:27:51.460 --> 1:27:52.680 I'll show you how to do that. 1:27:52.690 --> 1:27:54.280 Also, you will not see it working. 1:27:54.280 --> 1:27:54.970 That's the best part. 1:27:55.000 --> 1:27:55.840 You won't see it working. 1:27:55.840 --> 1:27:56.980 It works in the background. 1:27:57.950 --> 1:28:00.170 Also when you're through the tunnel, right? 1:28:00.170 --> 1:28:02.660 Let's say you're accessing an Http server. 1:28:03.710 --> 1:28:09.020 Now through the server can come cookies critical information which saves where on the windows PC. 1:28:11.180 --> 1:28:11.930 Write in cookies. 1:28:11.930 --> 1:28:16.550 You have some information of what did you visit, what sites did you did you visit, What did you do 1:28:16.580 --> 1:28:17.540 on those sites? 1:28:18.200 --> 1:28:21.440 When the tunnel is terminated, it stopped. 1:28:21.470 --> 1:28:23.210 CSD will clean up everything. 1:28:24.620 --> 1:28:30.170 Whatever you did, whatever information came down through the tunnel, CSD will clean it up as if it 1:28:30.170 --> 1:28:31.100 was not there at all. 1:28:34.270 --> 1:28:34.620 Okay. 1:28:34.630 --> 1:28:36.370 The way you do it is the same. 1:28:36.370 --> 1:28:37.840 I should have done it before. 1:28:38.080 --> 1:28:45.010 Now it's a little more difficult is you copy it into the flash, the image, you copy it into the flash. 1:28:45.010 --> 1:28:46.450 The image is also here. 1:28:46.540 --> 1:28:48.160 Same image as you had before. 1:28:49.810 --> 1:28:51.540 csc.pg. 1:28:52.930 --> 1:28:54.280 Let me try to send it. 1:28:55.780 --> 1:29:01.000 Copy tftp to flash addresses. 1:29:04.130 --> 1:29:04.580 Finally. 1:29:07.040 --> 1:29:07.610 That's the thing. 1:29:07.610 --> 1:29:08.040 It's slow. 1:29:10.260 --> 1:29:12.210 That's why earlier I did it directly. 1:29:12.210 --> 1:29:16.680 This one is a little slower than the other one, so see it copying. 1:29:19.540 --> 1:29:20.080 2%. 1:29:22.800 --> 1:29:23.670 That's all you have to do. 1:29:23.700 --> 1:29:28.150 See, once you do that, once you copy it, all you have to do is go to the essay. 1:29:29.930 --> 1:29:31.760 I said any Kinect enabled, right? 1:29:31.790 --> 1:29:32.810 You have to do the same. 1:29:32.810 --> 1:29:33.700 Two steps for CD. 1:29:33.710 --> 1:29:35.390 Also CD image. 1:29:35.390 --> 1:29:36.440 CD enabled. 1:29:36.440 --> 1:29:36.930 That's it. 1:29:36.950 --> 1:29:38.810 You don't have to apply it to any policy. 1:29:38.840 --> 1:29:40.580 You don't have to apply to anything. 1:29:40.670 --> 1:29:42.140 It will run automatically. 1:29:42.140 --> 1:29:44.720 Once you set up the tunnel, CD will run. 1:29:45.110 --> 1:29:46.430 You will not even see it run. 1:29:48.450 --> 1:29:51.420 Going on the back backend, making sure that your tunnel is safe. 1:29:52.270 --> 1:29:52.610 Why? 1:29:52.720 --> 1:29:53.830 You already know why. 1:29:54.130 --> 1:29:58.270 Because through the tunnel, since you're connecting up to your company's network, a lot of stuff can 1:29:58.270 --> 1:29:58.760 come in. 1:29:58.820 --> 1:30:01.420 So you make sure that that part is safe. 1:30:02.750 --> 1:30:03.830 Any questions? 1:30:05.240 --> 1:30:06.290 With SSL VPN. 1:30:10.440 --> 1:30:12.940 And he connects any questions with the thick client. 1:30:15.020 --> 1:30:18.380 It looks exactly the same way as your easy VPN client. 1:30:18.710 --> 1:30:21.750 Gaining more popularity, though, than the easy VPN client. 1:30:21.770 --> 1:30:22.310 This one. 1:30:28.300 --> 1:30:29.320 Direct connection. 1:30:32.770 --> 1:30:37.210 Microsoft has its own VPN embedded in your operating system. 1:30:43.140 --> 1:30:44.190 My Internet is not working. 1:30:44.190 --> 1:30:44.550 So. 1:30:47.940 --> 1:30:50.310 Start working because I have the default gateway, right? 1:30:52.120 --> 1:30:53.640 Have to default gateways right now. 1:30:56.890 --> 1:30:58.160 And it's using the tunnel one. 1:31:02.740 --> 1:31:04.180 Yeah, it's using the tunnel one. 1:31:06.670 --> 1:31:08.070 Start using the one from the adapter. 1:31:08.080 --> 1:31:10.330 Let's let's do that later. 1:31:11.630 --> 1:31:13.640 We'll check that later once the Internet starts working. 1:31:14.550 --> 1:31:14.880 Okay. 1:31:15.180 --> 1:31:16.650 Any questions with this? 1:31:18.430 --> 1:31:19.870 This finishes all your VPNs. 1:31:21.160 --> 1:31:21.910 All of it. 1:31:23.690 --> 1:31:25.360 Now you just have to do them again. 1:31:25.370 --> 1:31:26.510 But on. 1:31:27.940 --> 1:31:28.420 Hundreds. 1:31:29.350 --> 1:31:30.880 Saying the concept will not change. 1:31:31.540 --> 1:31:33.110 We'll do the same VPNs again on the. 1:31:33.310 --> 1:31:40.570 The only one extra new thing that you have to learn is if we are aware with this, we will do that tomorrow. 1:31:41.350 --> 1:31:44.470 We will do that tomorrow and we will do site to site VPN also. 1:31:46.220 --> 1:31:54.860 And on Friday we will be doing site to site and your site to site VPN plus no sorry, site to site will 1:31:54.860 --> 1:31:56.300 be tomorrow Ikev2. 1:31:56.300 --> 1:31:56.450 And. 1:31:59.090 --> 1:32:03.080 There is public support for all kinds of people, not all. 1:32:06.070 --> 1:32:14.320 Get it doesn't it doesn't have virtual interfaces, cannot have interface tunnel zero whatever does 1:32:14.320 --> 1:32:15.780 not support interface tunnel zero. 1:32:15.790 --> 1:32:16.690 You cannot have that. 1:32:18.850 --> 1:32:23.680 Thank God for that, because otherwise you would have to remember all of that to. 1:32:25.060 --> 1:32:26.590 For what you have right now. 1:32:27.070 --> 1:32:28.240 You have all those VPNs, right? 1:32:28.270 --> 1:32:28.720 DM. 1:32:28.960 --> 1:32:30.130 DM is not there yet. 1:32:30.160 --> 1:32:30.850 Is not there? 1:32:31.570 --> 1:32:32.650 GRC is not there. 1:32:32.680 --> 1:32:34.180 GRC overripe all of that. 1:32:36.690 --> 1:32:41.070 I'm not on the iOS, not on the not on both of them. 1:32:43.790 --> 1:32:48.850 This easy, easy get and also hike veto is also there. 1:32:54.240 --> 1:32:55.420 It's copied, I think. 1:32:55.980 --> 1:32:56.280 Yeah. 1:32:57.480 --> 1:32:58.680 Show flash. 1:33:00.830 --> 1:33:01.700 CSD is there. 1:33:02.540 --> 1:33:03.860 All you have to do is. 1:33:05.480 --> 1:33:06.050 The VPN. 1:33:07.240 --> 1:33:09.250 CSD image. 1:33:14.490 --> 1:33:15.270 The Flash. 1:33:29.360 --> 1:33:29.600 Right. 1:33:30.140 --> 1:33:31.760 And then just enable. 1:33:34.110 --> 1:33:40.050 You also have something called heart scan where you specify what are the exact properties that should 1:33:40.050 --> 1:33:40.350 be there. 1:33:40.380 --> 1:33:44.460 On the other side, CSD enable, correct? 1:33:44.730 --> 1:33:45.510 That's all. 1:33:47.350 --> 1:33:47.680 That's it. 1:33:47.680 --> 1:33:48.460 It's enabled already. 1:33:49.860 --> 1:33:50.730 Now it's enabled. 1:33:51.060 --> 1:33:52.500 Now CSG is enabled. 1:33:52.530 --> 1:33:54.300 Now you might see it here. 1:33:55.320 --> 1:33:56.940 You'll have to disconnect and connect again. 1:33:59.710 --> 1:34:01.930 See this is Cisco secure desktop. 1:34:01.930 --> 1:34:04.200 I said log out when I was logging out. 1:34:04.210 --> 1:34:06.400 What does it do friends this. 1:34:07.920 --> 1:34:09.020 It ends XD. 1:34:10.380 --> 1:34:12.870 He wants to clean up everything that happened through the town. 1:34:15.930 --> 1:34:16.530 It's a Java app. 1:34:16.860 --> 1:34:19.120 It will delete everything, all the cookies and everything. 1:34:19.140 --> 1:34:19.770 It will delete. 1:34:19.770 --> 1:34:21.180 Then it will let you log out. 1:34:33.800 --> 1:34:34.610 There's always a way. 1:34:37.790 --> 1:34:37.890 With. 1:34:39.770 --> 1:34:40.240 Combine it. 1:34:40.250 --> 1:34:43.730 No, you have to pick it has to be with the video comes through the VPN. 1:34:46.040 --> 1:34:46.460 There you go. 1:34:48.540 --> 1:34:49.090 This is cool. 1:34:58.180 --> 1:34:59.590 It's already there on the PC now. 1:35:01.940 --> 1:35:02.230 Right. 1:35:02.230 --> 1:35:03.300 So it is connected. 1:35:03.310 --> 1:35:04.450 I'll disconnect this. 1:35:07.110 --> 1:35:07.920 Any connect. 1:35:17.840 --> 1:35:20.000 So just like any Kinect was also there. 1:35:20.000 --> 1:35:21.620 Now, again, you will not see it. 1:35:22.430 --> 1:35:23.810 You will not see it working. 1:35:24.080 --> 1:35:25.430 It will work in the background. 1:35:25.580 --> 1:35:29.450 Make sure that whatever you do through the tunnel is not saved on your PC. 1:35:30.140 --> 1:35:33.030 Cisco Secure desktop is done on the endpoints. 1:35:33.050 --> 1:35:36.140 If you enable it, the user has no option but to use it. 1:35:38.230 --> 1:35:39.430 You enable it on the server? 1:35:39.970 --> 1:35:43.570 The user will have to use it doesn't matter if he has installed it or not. 1:35:43.600 --> 1:35:47.710 The moment he connects up, he'll be connecting, what, through the CSC. 1:35:48.670 --> 1:35:49.480 Again, log out. 1:35:53.510 --> 1:35:54.320 Now it's already there. 1:35:57.890 --> 1:35:58.630 Right, Cisco. 1:36:02.570 --> 1:36:02.830 Clear. 1:36:05.860 --> 1:36:09.230 If it does not start properly, click here to end the session cleanly. 1:36:10.860 --> 1:36:16.500 So it has some other other things, other stuff which it does if it doesn't work, but it makes sure 1:36:16.500 --> 1:36:19.080 that it's a clean process, clean up. 1:36:19.950 --> 1:36:21.060 After, you know. 1:36:21.850 --> 1:36:22.660 After the murders. 1:36:22.660 --> 1:36:23.200 You clean up. 1:36:24.570 --> 1:36:26.430 So you're cleaning up? 1:36:28.620 --> 1:36:33.180 Correct your net, your VPN is connected. 1:36:33.180 --> 1:36:34.560 You can send traffic through the tunnel. 1:36:35.620 --> 1:36:39.880 Reset it, export the statistics if you want to disconnect it. 1:36:44.620 --> 1:36:48.300 That should be that should cover all of your VPNs. 1:36:49.620 --> 1:36:49.920 Okay. 1:36:49.920 --> 1:36:50.990 Tomorrow VPNs on the.