|
workape posted:I'm about to wander down this path as well, someone in management went to a meeting and saw another manager able to use SRM from their iPhone and now we have the question being posed "Why don't we have this already?" which is fun because our security group essentially said no to any consumer grade devices attaching up to the network. So if you can find a consultancy/direct contact with Cisco this is probably what you're looking at and should ask them about.
|
#
?
Oct 1, 2010 00:20
|
|
|
|
| # ? May 14, 2024 01:46 |
|
|
jwh posted:I don't think the AnyConnect client is available yet for iPads. Tell them to hold out for iOS 4.2 (it's in beta now), Cisco released AnyConnect for iOS 4 about a week ago, so as soon as iOS 4.2 hits they'll be able to have AnyConnect SSLVPN from iPad. Or get them to sign up for the developer program so you can get the beta code. -edit- As for actually setting it up, you'll want to look at the Apple enterprise site (make sure to check the deployment guide link to their KB), you'll need to develop your own internal webapp for device provisioning, which should be able to push all the config down to your devices. And you'll need an SCEP enabled SSL CA on your network (like the Windows CA). -/edit- ragzilla fucked around with this message at 01:43 on Oct 1, 2010 |
|
#
?
Oct 1, 2010 01:38
|
|
|
Moxnight posted:Just recently went to a Cisco run seminar called "Cisco Unified Communications" which demonstrated pretty much everything you're listing up there. eg. use of iPad/iPhone/whatever-smart-phone-thingy and having it linked to VOIP and IRC-style chat along with everything else you'd expect from a mobile office. Was actually really cool, and is reportedly developed ground up with security in mind (to the point that cisco actually bought Jabber and its XMPP protocol). I met a guy at a UCS event last night who was using the ipsec vpn mixed with the rsa soft tokens on his phone and it worked amazingly well. I'm going to drop him a line and see if I can get more information about his vpn setup since he had to do both iphones and ipads.
|
|
#
?
Oct 1, 2010 15:24
|
|
|
ragzilla posted:Tell them to hold out for iOS 4.2 (it's in beta now), Cisco released AnyConnect for iOS 4 about a week ago, so as soon as iOS 4.2 hits they'll be able to have AnyConnect SSLVPN from iPad. Or get them to sign up for the developer program so you can get the beta code. The biggest issue right now is that under 3.x iPad code, the only real certificate based authentication available is as part of the Cisco bundled IPSec client. Well, that, and the fact that the Safari bundled with iPad OS 3 doesn't send client certificates correctly.
|
|
#
?
Oct 1, 2010 16:52
|
|
|
sigh, the end result of 4 RMAs and one pissed of customer, newly created bug id: CSCtj20996 Symptom: When using some blue-tooth serial adapters connected to the console port of the ct5508 controller, the unit will go into a continuous crash loop until the blue-tooth serial adapter is removed from the console port. Workaround: Remove the blue-tooth serial adapter and allow the unit to fully boot, once booted, you can reinstall the blue-tooth serial adapter and use it normally. Cisco, I do not love you today! 
|
|
#
?
Oct 3, 2010 12:32
|
|
|
ior posted:sigh, the end result of 4 RMAs and one pissed of customer, newly created bug id: CSCtj20996 Was it generating serial breaks? -edit- lilbean posted:I've seen similar things happen to Sun machines with USB-serial adapters causing the to halt. Good times. On a side note, anyone at NANOG this week? -/edit- ragzilla fucked around with this message at 14:33 on Oct 3, 2010 |
|
#
?
Oct 3, 2010 14:19
|
|
|
ior posted:sigh, the end result of 4 RMAs and one pissed of customer, newly created bug id: CSCtj20996
|
|
#
?
Oct 3, 2010 14:31
|
|
|
ragzilla posted:Was it generating serial breaks? Nope. I have been using this bluetooth adapter without trouble for 2 years now on both routers and switches, I would notice if it was generating breaks.
|
|
#
?
Oct 3, 2010 17:25
|
|
|
ragzilla posted:On a side note, anyone at NANOG this week? Where is it this year?
|
|
#
?
Oct 4, 2010 17:11
|
|
|
jwh and inignot's answer to my NAT was right on the money. I can now do NAT... it was because of the access-lists using the same number. I now am having an issue with the VPN I am connecting these two routers with. Router 2 is configured correctly as it was working fine when on the other side (now Router 1) was a non-cisco, so I can tell my new configuration isn't working. Though I think I did the IPsec setup correctly and the VPN, so I am confused. Any help from a trained eye would be awesome and will help me understand what I messed up. Here is Router 1 and Router 2: Router 1 code:code:
|
|
#
?
Oct 5, 2010 21:52
|
|
|
It's hard to say. Learn how to use debug commands so that you can see whats failing. In this case debug crypto iskmap. It might be something as simple as a fat fingered password, or it is seeing the wrong remote address. Also you [pre] instead of [code] if you want your [b] tags to work.
|
|
#
?
Oct 6, 2010 02:14
|
|
|
Hey guys, I am looking to buy a firewall, doesn't have to be Cisco... however I want my next job to be a network engineer of sorts (even if its junior level) so I would prefer to find something that is Cisco, if its feasible to do. Some background: - 100 user company - five sites, most sites containing 3-4 users at most - My experience has been with working with Cisco routers.. Setting up NAT/VPN IPsec stuff as you have probably already seen. - My level of Cisco firewall experience is pretty much zero. Though I lack experience, I would kill for the chance to set this firewall up. Additionally I should specify that I am not tied down to a time constraint, meaning I don't have to LEARN the firewall so fast as I need to just let my boss know I am still working on it. Anyway, to much detail I suppose, but my main question is.. Is there a good Cisco Firewall out there that I can use the CLI on? (I assume most of them are) I am trying to get this for two reasons. 1. I think Cisco has a good product and 2. because this experience will be a catalyst in my career. Also, would you recommend me having a firewall at every site? Even one that have the few 3-4 people. Errmm.... sorry for wordy post 
|
|
#
?
Oct 14, 2010 01:01
|
|
|
Are you expected to VPN tunnel all the sites back to one central location, or no?
|
|
#
?
Oct 14, 2010 01:23
|
|
|
Yes, all sites connect to services held by one. Except there is a second site that has our secondary DNS and secondary Domain Controller for redundancy. Sites 1 and 2. 1 Has all the services and about 50 people, other sites connect to it. Site 2 has the secondary DNS server, about 45 people. All the sites except site 2 is pointed to Site 1's DNS first. May be too much info...
|
|
#
?
Oct 14, 2010 02:29
|
|
|
Bardlebee posted:because this experience will be a catalyst in my career. In that case, you need a switch or two as well!  On a more serious note, what kind of connection do the other sites have? You can get ASA5505s with the base license for a few hundred dollars, and those would even let you dial back to your central location. You get a CLI on just about every piece of network gear from Cisco, but you also get the ASDM. I'm a cli guy myself, but the gui makes access rule editing so much easier on firewalls it's not funny.
|
|
#
?
Oct 14, 2010 03:23
|
|
|
Bardlebee posted:Hey guys, I am looking to buy a firewall, doesn't have to be Cisco... You're requirements aren't particularly difficult to meet with anything out there, be it IOS-based router, PIX/ASA, or other vendor product. If you really want Cisco, just look at a low end ISR or ASA. Either would be fine. How do the remote offices connect now? You could also just bring the VPN tunnels back to an IOS-based platform and then firewall off a different box (ASA, Palo Alto, etc.) which is often easier. At least, in my experience. I don't like ASAs, for what it's worth.
|
|
#
?
Oct 14, 2010 04:37
|
|
|
jwh posted:I don't like ASAs, for what it's worth. ASA's are pretty simple to get up and running and the feature set for the price point is pretty nice. Learn the CLI and don't use the ASDM though because the ASDM does some stupid things from time to time. Personally I like them, but I'm bias because I get 5505's for about $300 with anyconnect essentials.
|
|
#
?
Oct 14, 2010 14:44
|
|
|
jwh posted:You're requirements aren't particularly difficult to meet with anything out there, be it IOS-based router, PIX/ASA, or other vendor product. Hmm I suppose I will need to a little research into they're product line. Is ASA different from a normal CLI type Cisco router or switch? Right now all my remote office connect via a VPN over IPsec. Not all of them Cisco routers, most of the small 3-4 people are retail VPN routers and they all connect to my main site, which does have a Cisco 1811 in it.
|
|
#
?
Oct 14, 2010 15:15
|
|
|
Bardlebee posted:Hmm I suppose I will need to a little research into they're product line. Is ASA different from a normal CLI type Cisco router or switch? The ASA line is the successor to the PIX line of firewall/security boxes. They all have CLI. There's two things that you have to remember: 1) They don't run IOS, no matter how similar it looks. 2) PIX/ASA is not a router. They don't "route" traffic.
|
|
#
?
Oct 14, 2010 16:25
|
|
|
CrazyLittle posted:The ASA line is the successor to the PIX line of firewall/security boxes. They all have CLI. Sure they are! Don't you see the area where you can configure EIGRP and OSPF? All we need to do is insert 30 NAT exemption rules and make all the interfaces have the same security level! Swear to god, that's what was running on the network at my current work location when I got here. Still working on finishing the migration to, you know, Layer 3 switches and routers now.
|
|
#
?
Oct 14, 2010 16:30
|
|
|
I just don't like the ASA's way of doing things. I admit, I might not be smart enough to conceptualize it's arcane vagaries, but I've never felt like anything it did was either straightforward or intuitive.
|
|
#
?
Oct 14, 2010 17:15
|
|
|
CrazyLittle posted:The ASA line is the successor to the PIX line of firewall/security boxes. They all have CLI. I knew that they weren't routers, but this gives me insight on to what I might expect... If they are not the same as IOS then surely I may get lost easily. Would you guys say it would benefit my experience to purchase an ASA? Or should I just get a firewall that is GUI based... I have heard Sonicwall is good, but I don't know if those are router/firewall mixes.
|
|
#
?
Oct 14, 2010 17:52
|
|
|
jwh posted:I just don't like the ASA's way of doing things. I admit, I might not be smart enough to conceptualize it's arcane vagaries, but I've never felt like anything it did was either straightforward or intuitive. You and me both. PIX even made more sense to me than the ASA's changes. Bardlebee posted:I knew that they weren't routers, but this gives me insight on to what I might expect... If they are not the same as IOS then surely I may get lost easily. Bardlebee posted:Would you guys say it would benefit my experience to purchase an ASA? Or should I just get a firewall that is GUI based... I have heard Sonicwall is good, but I don't know if those are router/firewall mixes. gently caress sonicwall.
|
|
#
?
Oct 14, 2010 18:10
|
|
|
Bardlebee posted:Would you guys say it would benefit my experience to purchase an ASA? Or should I just get a firewall that is GUI based... I have heard Sonicwall is good, but I don't know if those are router/firewall mixes. Get a Palo Alto PA-500!
|
|
#
?
Oct 14, 2010 18:34
|
|
|
CrazyLittle posted:It's very very very similar. Like, all of the basics are the same. Once you get into the whole "I'm a firewall" aspect, that's where things differ. Not to mention the show int ip brief instead of show ip int brief and other commands that just seem a little backwards.
|
|
#
?
Oct 14, 2010 19:33
|
|
|
CrazyLittle posted:
Why so angry? Is sonicwall a bad product? Palo-Alto 500, eh? Is it CLI or GUI? I assume CLI.
|
|
#
?
Oct 14, 2010 20:11
|
|
|
Sonicwalls are terrible, as are Watchguards. Netscreen (Juniper SSG) is a good Cisco alternative. I'm a 100% CLI guy in almost all cases (Cisco IOS, FreeBSD servers, etc) but ScreenOS's web interface is good. It does have a CLI but configuring it from there isn't as friendly. I've also heard that Fortigate firewalls are nice but I don't have any experience with them- they were created by the the creator of Netscreen. One last thing to look at that's quite a bit different is Mikrotik, something like a RouterBoard 1100 which is cheap as hell and are quite incredible when you compare their price/performance/features. For $400 you get 13 gig-e interfaces and it can do all sorts of firewall and routing stuff, ipsecvpn, openvpn, mpls, ospf, bgp, blah blah the list goes on.
|
|
#
?
Oct 14, 2010 20:35
|
|
|
I am looking at the Cisco ASA 5505... if I have my main site, connecting to my other five sites through a VPN IPSec connection, would I need to buy a security license? http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html Or is this just referring to actually user-to-site licenses? I am confused here.
|
|
#
?
Oct 14, 2010 21:18
|
|
|
Bardlebee posted:Why so angry? Is sonicwall a bad product? Both, but the majority of the administration is done via a web-based GUI. Even if you're a CLI guy (as I am), it's very workable. Working firewall/IPS/DLP policies textually can be difficult. Unfortunately, and I don't know what your budget is, a PA-500 is 10x the cost of an ASA5505. But, it'll do all your firewall, site-to-site, client remote access, IDS/IPS, DLP, URL filtering in one platform. And that's pretty neat.
|
|
#
?
Oct 14, 2010 22:05
|
|
|
Is Cisco's SSL VPN using a standard VPN protocol of any sort? I ask because I have an IP phone which supports connecting to a SSL VPN and I'd like to screw around with that feature, but I don't believe any of my Cisco hardware is capable of running it. (plus I think I recall it being a licensed feature, and no way I'm paying just to mess around with something) I'm hoping there's a Linux or FreeBSD implementation and I just don't have the right terms to search with.
|
|
#
?
Oct 14, 2010 22:16
|
|
|
wolrah posted:Is Cisco's SSL VPN using a standard VPN protocol of any sort? I ask because I have an IP phone which supports connecting to a SSL VPN and I'd like to screw around with that feature, but I don't believe any of my Cisco hardware is capable of running it. (plus I think I recall it being a licensed feature, and no way I'm paying just to mess around with something) What do you mean by 'standard' SSL VPN? I was under the impression SSL was the standard?
|
|
#
?
Oct 14, 2010 22:22
|
|
|
CrazyLittle posted:The ASA line is the successor to the PIX line of firewall/security boxes. They all have CLI. A pix can route traffic - we route several DMZ's off our pix using ospf.
|
|
#
?
Oct 14, 2010 23:56
|
|
|
Bardlebee posted:What do you mean by 'standard' SSL VPN? I was under the impression SSL was the standard? SSL provides a standard method for encryption and authentication, but it's nowhere near all you'd need for a normal VPN tunnel. The completely clientless feature of Cisco SSL VPN seems to be a web interface to a variety of services, that does run on standard HTTPS, but what the Java port forwarding thing and the full AnyConnect tunnel client use is what I'm interested in.
|
|
#
?
Oct 15, 2010 00:28
|
|
|
abigserve posted:A pix can route traffic - we route several DMZ's off our pix using ospf. Try implementing PBR
|
|
#
?
Oct 15, 2010 05:32
|
|
|
I still think it's hilariously stupid that you can't terminate client VPN when the ASA is in multiple context mode. Did they ever fix that?
|
|
#
?
Oct 15, 2010 16:07
|
|
|
jwh posted:I still think it's hilariously stupid that you can't terminate client VPN when the ASA is in multiple context mode. Did they ever fix that? Nope. It can't do site-to-site either.
|
|
#
?
Oct 15, 2010 16:10
|
|
|
ragzilla posted:Nope. It can't do site-to-site either. That's really disappointing.
|
|
#
?
Oct 15, 2010 16:35
|
|
|
jwh posted:That's really disappointing. Yeah I really don't understand why they haven't done this.
|
|
#
?
Oct 15, 2010 16:55
|
|
|
Our DC systems folks are attempting to move to UCS-based chassis and blades within the next six to ten months, in an attempt to consolidate our VM environment. To that end, they're proposing FEXs (Nexus 2ks) in the blades, connected to a HA pair of 6140 unified-fabric boxes. They're also proposing a Nexus 5000, to connect the 6140s to. Thing is, I don't see what the point of the 5000 is, since all the M71KR-E converged network adapters terminate in the 6140s, and the only thing the 5000 would do is sit in between the 6140s and the 6500 L3 cores. I can understand the 5000s provide cheaper 10gig density, but I don't see why that's important here if all the CNAs sit on the 6140s. Am I missing something?
|
|
#
?
Oct 15, 2010 17:23
|
|
|
|
| # ? May 14, 2024 01:46 |
|
|
jwh posted:Our DC systems folks are attempting to move to UCS-based chassis and blades within the next six to ten months, in an attempt to consolidate our VM environment. Well if they are planning on using 2100 series switches for top of rack, then it makes sense. If its only to support the UCS chassis they are looking to install then I'm with you. I don't see the point.
|
|
#
?
Oct 15, 2010 18:33
|
|