|
chestnut santabag posted:My ASA is a little rusty but should not one of those netmasks be the actual netmask for the subnet? Nope. He's trying to PAT a single host.
|
#
?
Feb 4, 2011 15:26
|
|
|
|
| # ? May 30, 2024 15:22 |
|
|
Thank you for the reply but ultimately this cannot be done. The static nat is also used to route interesting traffic over their IPSec tunnel to us, simply removing the existing nat will cut connectivity unless I remap all of the ports they need to use, and I'm not really up for that. I told them to change the listening port in IIS to the one they want me to open 
|
|
#
?
Feb 4, 2011 15:58
|
|
|
I'm curious, and I'm looking at a network design here that's being thought over for data center design. This is internal data center, there is external traffic but the functionality of it is not primarily geared towards web traffic. What is the caveat of using ACLs on something like 6509's or Nex 5548's at a core where ingress traffic is present, versus paying for other large firewall devices for deployment and installation in front of those for what would ultimately amount to a set of off-box ACLs? Is there any commentary on the performance hit , or vulnerability for that function that any one would care to share ?
|
|
#
?
Feb 4, 2011 17:44
|
|
|
Logging, ACL maintenance, inability to deep-inspect.
|
|
#
?
Feb 4, 2011 18:07
|
|
|
Depending on ACL complexity, exhaustion of TCAM LOUs.
|
|
#
?
Feb 4, 2011 18:08
|
|
|
As far as security is concerned. What would be the best move to implement physical Cisco firewalls? Right now I have two main sites with one or two servers each, along with 30 people per site. Then I have four other sites with maybe 3 users max. Do I need a firewall per site? All traffic comes back to the servers at the main sites so can I just get by with two firewalls, one at each site? Or will it be an issue with my VPN's? My one thought is someone could get on the network at our small off sites and access our VPN connection to the main site, therefore bypassing our Firewalls. Is this possible?
|
|
#
?
Feb 4, 2011 21:46
|
|
|
Bardlebee posted:As far as security is concerned. What would be the best move to implement physical Cisco firewalls? Yes, that's possible if I understand what you are saying.
|
|
#
?
Feb 4, 2011 22:12
|
|
|
You don't necessarily need a firewall per site. Just a network access policy at each remote site; user or machine based authentication. Can someone just walk into your remote offices, plug in a computer and go at it? If that's the case then that's the underlying problem. Do they need to authenticate at all in order to access the VPN? Are they on AD? 802.11x for wireless clients?
|
|
#
?
Feb 4, 2011 22:41
|
|
|
thiscommercialsucks posted:You don't necessarily need a firewall per site. Just a network access policy at each remote site; user or machine based authentication. Can someone just walk into your remote offices, plug in a computer and go at it? If that's the case then that's the underlying problem. Do they need to authenticate at all in order to access the VPN? Are they on AD? 802.11x for wireless clients? No AD yet, that JUST got approved along with setting up firewalls, encrypted email, and other security measures this clinic never thought were important. I love my job.  EDIT:I don't have managed switches, how can I stop someone from just plugging in to our ports? I suppose the answer is I can't...
|
|
#
?
Feb 4, 2011 22:49
|
|
|
Don't get Cisco firewalls, get something better. edit: (sorry Tremblay).
|
|
#
?
Feb 4, 2011 23:09
|
|
|
Haha, well I am getting it partially for experience purposes to be honest. But I also wanted to ask about the product, we are planning on purchasing 5505's, do those support up to 5 Site-to-Site VPN's? The sales guy says they support only up to 2 SSL VPN's, but I am using IPSec so that shouldn't matter....right?...guys?
|
|
#
?
Feb 4, 2011 23:13
|
|
|
jwh posted:Don't get Cisco firewalls, get something better. I don't take offense. They've fallen waaaay behind the power curve on the ASA line. ASDM is still a bit of a cluster and the changes in 8.3+ make cli config almost unbearable. It's a bitch to troubleshoot. Not with Cisco anymore either, although I'd still say that if I was .Bardlebee posted:Haha, well I am getting it partially for experience purposes to be honest. Base license supports 10 L2L tunnels, Plus supports 25.
|
|
#
?
Feb 4, 2011 23:14
|
|
|
Ok, so what I believe I have summed up a decent security plan, tell me what you think as I am a novice, additionally I work in a clinic which I am not sure if it matters. The two main sites: ASA Firewalls Cisco Managed Switches Cisco Router Wireless is currently WPA-PSK2 right now. The 4 off sites (Just desktops connected to two main sites Domain Controller): Cisco 861 Routers Cisco Managed Switches (Port security enabled for only their mac address) Wireless is currently WPA-PSK2 right now. Again maybe 75-100 users. Most in the two sites, maybe two or three in the off sites.
|
|
#
?
Feb 4, 2011 23:33
|
|
|
Bardlebee posted:Ok, so what I believe I have summed up a decent security plan, tell me what you think as I am a novice, additionally I work in a clinic which I am not sure if it matters. Sounds reasonable. Once you get AD up I'd look into rolling out 802.1x for the wireless clients.
|
|
#
?
Feb 4, 2011 23:38
|
|
|
Tremblay posted:Sounds reasonable. Once you get AD up I'd look into rolling out 802.1x for the wireless clients. Are you referring to authentication on to the wireless network? Like a username and password? Because we have a password already. By the way, these are doctors and they will have none of this username and password crap on their computers, let alone their wireless devices. Guess who isn't joining the domain. 
|
|
#
?
Feb 4, 2011 23:43
|
|
|
Bardlebee posted:Are you referring to authentication on to the wireless network? Like a username and password? Because we have a password already. Explain the possible legal consequences of a spillage event. Few people like legal and the resulting fiscal issues. I feel your pain, really do. My current employment is basically the inverse of yours. People are hyper sensitive about security, however the resulting management cluster gently caress leads to poo poo breaking and no real net benefit. Tremblay fucked around with this message at 23:49 on Feb 4, 2011 |
|
#
?
Feb 4, 2011 23:45
|
|
|
Tremblay posted:Explain the possible legal consequences of a spillage event. Few people like legal and the resulting fiscal issues. This has been explained and warned to them. They are barely spitting out 8000 for the security changes I am making. Oh and by the way we have POP3 email and they are not budging on getting our own in house email to encrypt it or an external source to encrypt it. Because our current provider is free. I guess I don't care if they have a spillage, I have told them the threats and have kept documentation on the emails I have sent about it, complete with diagrams. I am leaving to be a network engineer in a month or so (wishful thinking), so if they still don't approve email encryption. Not my problem. EDIT: To give you an idea from what I have come from, the most advanced piece of network equipment they had was a Netgear retail Wireless Access Point. Yeah... no servers, no authentication, no wireless passwords. Though I am proud that I have been here a year and I am doing all this crazy stuff from the ground up. 
|
|
#
?
Feb 4, 2011 23:48
|
|
|
Bardlebee posted:This has been explained and warned to them. They are barely spitting out 8000 for the security changes I am making. Oh and by the way we have POP3 email and they are not budging on getting our own in house email to encrypt it or an external source to encrypt it. As you bounce from company to company you'll be amazed by what stays the same, and what doesn't.
|
|
#
?
Feb 4, 2011 23:51
|
|
|
Will cdp show me the HP switches that are connected to the cisco switch? I know that it supposedly does not, by in WCS the cisco WAPs are showing the HP switches they are connected to in cdp. I'm assuming the answer to this is no, so here is a follow up question. We are using cisco 4506s as our building backbones, and they have the fiber connections to other switches in the building. However none of these fiber connections are labeled and I need to know where they go. Any easy way to do this other then unplugging a line and waiting for phone calls? Its nice to inherit a job where the previous occupant didn't do poo poo.
|
|
#
?
Feb 7, 2011 21:32
|
|
|
Drumstick posted:Will cdp show me the HP switches that are connected to the cisco switch? I know that it supposedly does not, by in WCS the cisco WAPs are showing the HP switches they are connected to in cdp. Older HP gear actually does run CDP.
|
|
#
?
Feb 7, 2011 21:48
|
|
|
ior posted:Older HP gear actually does run CDP. From a specific software version (I forget exactly which ubt it was a few years ago) HP stopped transmitting CDP packets, but they will still receive them to allow show cdp neighbours to work on a HP switch connected to a Cisco device. HP now use LLDP, so if you enable lldp on the Cisco switches you will be able to use that both ways. Drumstick posted:We are using cisco 4506s as our building backbones, and they have the fiber connections to other switches in the building. However none of these fiber connections are labeled and I need to know where they go. Any easy way to do this other then unplugging a line and waiting for phone calls? Are the cat4ks connected directly to some HPs? Heres the configuration guide on setting up lldp on the 4506 end: 4500 Configuration Guide Badgerpoo fucked around with this message at 22:34 on Feb 7, 2011 |
|
#
?
Feb 7, 2011 22:28
|
|
|
Thanks for the replies! I took a look at a few of the HP 4000s we have and CDP is enabled. I wasnt even aware of LLDP which will also come in handy with some of the new model HPs we have flaoting around. Thanks for the help, made project much easier on me.
|
|
#
?
Feb 7, 2011 23:46
|
|
|
Kind of an odd question, but does anyone know offhand about setting up network-to-host IPsec on an IOS router? I just read an appendix in the ROUTE quick reference about setting up site-to-site IPsec and it looks fairly straightforward, but the main ROUTE certification guide has less information than the quick reference and so I'm not sure how exactly I should alter the example configuration if I wanted to try this out on my home setup. The quick reference guide goes through: ISAKMP policy configuration IPsec transform set configuration Crypto ACL configuration Crypto map configuration Applying the crypto map to an interface and interface ACLs (which is kind of elementary at this point). It all looks good except that the crypto map configuration involves setting a peer address and I'm pretty sure that it doesn't work that way when I'm doing point-to-multipoint IPsec instead of tunneling over a point-to-point link. I searched around on Cisco's site but their basic configuration example there also involves a point-to-point tunnel, so I'm not really sure where to go except buying a VPN cert guide or something. Also, are there any special concerns with doing this? I'm aware that my 1720 doesn't have a super-fast processor so I probably shouldn't try to max out my WAN link with a bunch of VPN tunnels, but I don't want to open up any huge security holes or anything like that.
|
|
#
?
Feb 8, 2011 16:36
|
|
|
Though I am not an expert with security, but using IPSec is pretty secure in itself. Using it as an encrypted tunnel is pretty solid, it is what I use at my current job. Though I can't help you with point-to-access as I do the traditional Point-to-Point for my offices. EDIT: While were here. Does anyone know a good tutorial for a "Baby's first Cisco ASA Firewall"? I would like to cover any holes there may be for entry into my network. I have been disappointed with the lack of information when it comes to tunnels in the Cisco tests so far. I hope CCNA: Security is better with it. Bardlebee fucked around with this message at 17:31 on Feb 8, 2011 |
|
#
?
Feb 8, 2011 17:28
|
|
|
Eletriarnation posted:Kind of an odd question, but does anyone know offhand about setting up network-to-host IPsec on an IOS router? I just read an appendix in the ROUTE quick reference about setting up site-to-site IPsec and it looks fairly straightforward, but the main ROUTE certification guide has less information than the quick reference and so I'm not sure how exactly I should alter the example configuration if I wanted to try this out on my home setup. I don't understand what you are trying to do. Take a look at Remote Access (RA) VPNs. You are talking about L2L (LAN to LAN) here and I don't think that's what you need. You don't have to specify the ISAKMP peer by IP you can just 0.0.0.0 for any.
|
|
#
?
Feb 8, 2011 18:46
|
|
|
http://www.fredshack.com/docs/vpnios.html This is a decent site showing how to configure client VPNs on a router. You should be able to do what you need with that.
|
|
#
?
Feb 8, 2011 18:50
|
|
|
I just started a new job where the company just opened a new store. They have a WRV210 router that was purchased so they could have a VPN connection back to corporate, as well as wifi for the customers. I'm guessing the previous guy purchased this router because it states that you can create VLANS to separate traffic, but when I make two VLANS and put the SSID for the customer wifi on a separate one they can still access everything on the network. Is there something I'm missing here? I'm not too familiar with this at all but I'm not seeing the point of a VLAN if it doesn't actually segregate the traffic. I've looked all throughout the router for additional options/settings but haven't found anything.
|
|
#
?
Feb 8, 2011 20:57
|
|
|
You need to use acls to keep the customer wifi separate from your corporate office traffic. Right now you just have a different vlan and then people are still able to route to the rest of the network. Create a dhcp pool for the free wifi, give it a seperate ip address space, maybe 192.168.2.0/24 then create an ACL that references that network and denies traffic from that network going to 10.0.0.0/8 assuming 10.0.0.0 is your corporate network.
|
|
#
?
Feb 8, 2011 22:44
|
|
|
Powercrazy posted:You need to use acls to keep the customer wifi separate from your corporate office traffic. Right now you just have a different vlan and then people are still able to route to the rest of the network. Can this be done from any Cisco router? I'm not seeing any options when I log into the web based administration, like changing the wifi to a new subnet (that store's network is 192.168.16.1-25 - DHCP for the wifi starts after that). The only ACL options I've seen on the router are to restrict access based on MAC address.
|
|
#
?
Feb 9, 2011 15:13
|
|
|
It can but you will probably have to figure out the web interface, as I'm not sure the WRV210 will allow you to access the CLI. Check for something like a "Guest Vlan" for wireless.
|
|
#
?
Feb 9, 2011 18:36
|
|
|
Anyone have any good websites that talk about troubleshooting multicast? Especially Cisco-centric Commands as well as parse what the output means. I know the basics of what the numbers mean, but how do they help me understand the environment. And more importantly how do I prove that when a host isn't joining a particular multicast group, it isn't "the network." Is there a way to trace where multicast groups are available or figure out what hosts have subscribed at the switch level? I'm just not super familiar with troubleshooting a multicast environment.
|
|
#
?
Feb 10, 2011 01:01
|
|
|
Tremblay posted:I don't understand what you are trying to do. Take a look at Remote Access (RA) VPNs. You are talking about L2L (LAN to LAN) here and I don't think that's what you need. You don't have to specify the ISAKMP peer by IP you can just 0.0.0.0 for any. Oh! See, I didn't know that you can specify a range/subnet - the example only gives a single address. As you say, I am trying to set up a remote access VPN but all of the examples I've found are L2L so I was asking if that's an entirely different feature (that is, I can't do it on my little 1720) or if it's just a slightly different configuration.
|
|
#
?
Feb 10, 2011 01:09
|
|
|
"show ip mroute" will give you the multicast group, unicast source, ingress and egress interfaces for all multicast flows traversing a router. "show ip igmp groups" will show you what groups hosts on attached interfaces have joined. You can also debug igmp to observe if hosts are definitely requesting to join a group. I'm assuming you have pim and your rp sorted out.
|
|
#
?
Feb 10, 2011 02:09
|
|
|
You don't really troubleshoot multicast so much as you throw your hands up in the air in disgust and pretend that whatever it was that wasn't working was never meant to be in the first place.
|
|
#
?
Feb 10, 2011 02:43
|
|
|
Look for (S,G) entries on the receiver facing router, check IGMP group membership tables, if that's all fine check RPF isn't failing (for the group). Finally, if all of those are good, check the multicast TTL on the host, and after that, you'd have to continue on a case-to-case basis.
|
|
#
?
Feb 10, 2011 03:07
|
|
|
Eletriarnation posted:Oh! See, I didn't know that you can specify a range/subnet - the example only gives a single address. As you say, I am trying to set up a remote access VPN but all of the examples I've found are L2L so I was asking if that's an entirely different feature (that is, I can't do it on my little 1720) or if it's just a slightly different configuration. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml Or RTFM for your version of IOS. But yes RA is not configured identically to L2L. abigserve posted:Look for (S,G) entries on the receiver facing router, check IGMP group membership tables, if that's all fine check RPF isn't failing (for the group). And if you are doing testing with say VLC as your source know that it defaults to TTL=1 and save yourself the humiliation and tears that it brought to me.
|
|
#
?
Feb 10, 2011 03:38
|
|
|
Tremblay posted:http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml Awesome - yeah, that's exactly what I needed, I just didn't know the proper search terms. Thanks!
|
|
#
?
Feb 10, 2011 03:48
|
|
|
Powercrazy posted:Anyone have any good websites that talk about troubleshooting multicast? Especially Cisco-centric Commands as well as parse what the output means. I know the basics of what the numbers mean, but how do they help me understand the environment. If you're convinced it's the host not joining, focus on the IGMP. Have them join the group, do a "show ip igmp groups" and "show ip igmp interface gi x/x" on the router. Also consider using wireshark either on the host or via a SPAN port to see if you're getting the IGMP joins. Do you have IGMP snooping or CGMP on your switches? From a switch level, you can search your CAM table for the 01-00-5E Ethernet address associated with that multicast IP address (steps to convert from IP to Ethernet are here). e: this will only really work if you are using IGMP snooping/CGMP to prevent the switch from treating multicasts like broadcasts.
|
|
#
?
Feb 10, 2011 19:22
|
|
|
If you just want to show that its not the network just do a static join from the nearest switch: "See? Its working": 
|
|
#
?
Feb 10, 2011 20:36
|
|
|
|
| # ? May 30, 2024 15:22 |
|
|
Random question, I'm locking down the ASA for the DMZ -> Inside right now and am trying to figure out the best way to let the 2k8 servers in the DMZ authenticate w/ AD so that when the dev's need to access the box they can just use their normal domain logins. Is there a simple way to do this or am I going to need to configure something like AD FS, since ADAM isn't an option? Right now I've just got a massive port list on permit code:Found a shorter list of ports to allow (http://goo.gl/orhU6), still wondering if this is the best method though, or if I should create a secondary domain w/ a 1 way trust. Harry Totterbottom fucked around with this message at 17:22 on Feb 14, 2011 |
|
#
?
Feb 14, 2011 17:14
|
|