|
Harry Totterbottom posted:Set up site-to-site ipsec tunnels between each office using the wizard in the ASDM. Make sure you match your crypto-map and have a trusted cert if you don't use a passphrase. Yeah; just making sure - an ASA 5505 can handle multiple site-to-site links on one device, right? It's not two-way only, right? Beyond that, I've setup remote access on a couple ASAs so I'm not terribly worried about the configuration process as long as its similar. Just making sure we're hitting the hardware requirements.
|
# ? Dec 6, 2011 21:09 |
|
|
# ? May 14, 2024 12:58 |
|
Walked posted:Yeah; just making sure - an ASA 5505 can handle multiple site-to-site links on one device, right? It's not two-way only, right? The device itself is capable, but there may be licensing restrictions.
|
# ? Dec 6, 2011 22:08 |
|
Thats all I needed to know. Thanks. Just trying to do some prep-reading. Seems actually pretty painless for what they need/want.
|
# ? Dec 6, 2011 22:47 |
|
I have some cisco 800's that I cant get any Netflow data from. How can I check to see if Netflow is enabled on the routers?
|
# ? Dec 6, 2011 23:18 |
|
Swink posted:I have some cisco 800's that I cant get any Netflow data from. How can I check to see if Netflow is enabled on the routers? Do you even bother to google search before asking stupid questions? http://www.google.ca/#sclient=psy-ab&hl=en&source=hp&q=cisco+800+netflow&pbx=1&oq=cisco+800+netflow&
|
# ? Dec 6, 2011 23:35 |
|
Swink posted:I have some cisco 800's that I cant get any Netflow data from. How can I check to see if Netflow is enabled on the routers? first, you take your potato Q. time...has anyone had any problems (or could explain) why a lot (over 1gbps) of input traffic on a SPAN destination port causes high CPU on a 7600 chassis? It's like all the traffic is getting punted to the CPU before it gets dropped, but I can't see any reason why it would.
|
# ? Dec 7, 2011 02:33 |
|
Walked posted:Yeah; just making sure - an ASA 5505 can handle multiple site-to-site links on one device, right? It's not two-way only, right? Hope each site uses discrete/unique subnets! abigserve posted:first, you take your potato So it goes away when you disable SPAN or the traffic backs off? What Sup? What linecard for SPAN output? What is the SPAN source? What features are you using? What switching mode? Show cef somethingoranotheraboutnoncefswitchedtraffic show ip cef switching stat You can SPAN the connection between SP and RP. Once you look at that traffic you'll have more to go on.
|
# ? Dec 7, 2011 04:14 |
|
Tremblay posted:You can SPAN the connection between SP and RP. Once you look at that traffic you'll have more to go on. (Save you the time looking for this) http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml#span_inband
|
# ? Dec 7, 2011 04:34 |
|
Tremblay posted:Hope each site uses discrete/unique subnets! Thank gently caress for this. Basically 2 of the three sites havent been configured in any meaningful way yet. So I should have flexibility on it. Also I just got some of their technical documentation (hooray already having a clearance and all my information assurance training done) as well as their projected timelines. I'm good to go. I'm looking at a 1-2 year window to get VPN configured and a domain stood up.
|
# ? Dec 7, 2011 14:22 |
|
Walked posted:Thank gently caress for this. Basically 2 of the three sites havent been configured in any meaningful way yet. So I should have flexibility on it. 2 years for an AD domain and two site to site VPNs is considered the performance metric? Wow.
|
# ? Dec 7, 2011 19:18 |
|
jbusbysack posted:2 years for an AD domain and two site to site VPNs is considered the performance metric? Wow. I'm really, really hoping someone is giving me wrong information. Granted, the task-list is much longer and has many other tasks as well. So we'll see. Money's too good regardless.
|
# ? Dec 7, 2011 19:24 |
|
I think I'd rather find a carrier to do a private MPLS WAN for the multiple sites rather than deal with IPSec VPNs like that.
|
# ? Dec 7, 2011 20:06 |
|
mpls wan is expensive though compared to commodity broadband.
|
# ? Dec 7, 2011 21:22 |
|
I'm hoping someone can help me out, this is probably a really basic thing to correct, but I'm a relative newbie and am stumped. I am trying to set up a guest wireless network that should have Internet access but otherwise be blocked from everything else. I have set up a new vlan (Vlan160), assigned the guest network to it in the AP, and have DHCP handing out addresses on 192.168.160.0 to clients that connect to it. So far so good. I'm struggling with the access list that I need to create to segment this vlan off from everything else while allowing DNS, DHCP, and Internet access. We have 5 other subnets (192.168.140, 141, 142, 143, 200.0) that should be invisible to this network. This is what I've managed to cobble together thanks to Google: code:
The result is that this actually works -- kinda. Clients on the guest wireless can't access the file server or Exchange, etc, and can use the Internet, BUT they are also able to access any other internal servers on port 80 if they offer that service (like all our switches, SAN, other web-based management consoles). I realize the problem is with the line to allow any www/443 traffic to any destination, but I don't know how to tell it "just let 80/443 go out to the internet and nowhere else internally". Our default route for internet traffic is set properly on the switches to 192.168.140.2. If I make a rule permitting port 80 traffic only to that host, web browsing fails to work. Only with any/any does the Internet work, but of course has that unwanted side-effect. Any suggestions?
|
# ? Dec 7, 2011 23:07 |
|
geera posted:I realize the problem is with the line to allow any www/443 traffic to any destination, but I don't know how to tell it "just let 80/443 go out to the internet and nowhere else internally". Our default route for internet traffic is set properly on the switches to 192.168.140.2. If I make a rule permitting port 80 traffic only to that host, web browsing fails to work. Only with any/any does the Internet work, but of course has that unwanted side-effect. i.e.: code:
edit edit: You also shouldn't need to explicitly deny ip any any on the end of your ACL either. Deny ip any any is implicit - although if you want to log denied external access attempts for whatever reason you can add "log" onto the end of deny ip any any to see the details of blocked packets in your device log. ruro fucked around with this message at 23:43 on Dec 7, 2011 |
# ? Dec 7, 2011 23:36 |
|
jwh posted:mpls wan is expensive though compared to commodity broadband. But on the up side the MPLS WAN usually comes with an SLA (with penalties) worth a drat.
|
# ? Dec 7, 2011 23:55 |
|
ragzilla posted:But on the up side the MPLS WAN usually comes with an SLA (with penalties) worth a drat. Also true.
|
# ? Dec 8, 2011 17:19 |
|
ruro posted:helpful words
|
# ? Dec 8, 2011 21:44 |
|
I'm having an issue with ASA version 8.4(2), I'm not sure if it's an issue with how I configured it or some change since the previous versions. I currently have 7 other firewalls running in the same fashion but with 8.0(4). I have a switch connecting my ASA to a netscaler. The ASA has one interface for the egress network and one that goes to the netscaler network. For some reason I'm unable to reach any IP on the netscaler unless I initiate the connection from the netscaler. So basically it doesn't seem like it's able to connect to directly connected networks without statically assigning the ARP entries. Has anyone seen anything like this before or give me some idea of why it might be happening? The latest versions of ASA changed quite a bit so I'm wondering if that might be the reason since everything about the environment is basically the same.
|
# ? Dec 13, 2011 00:21 |
|
I have a Juniper-related networking question, but it might fall under the category of general network config anyway. I currently have our a SSG320M HA cluster protecting our datacenter network in Las Vegas. We are doing a network redesign and we’re looking for the best way to bake in switch resiliency as well as firewall resiliency in the case of an outage. Our firewalls are currently in an HA pair that can fail over based on hardware failure or an internet outage, but can’t fail over if an internal switch fails. We only have 2 internal switches, with all of our hosts dual-homed into both switches. I have been looking into ScreenOS technologies to help us accomplish this, but I haven’t found any that seem to work for what we want to accomplish. Our current plan has us using a bgroup on both firewalls, and simply leaving one of the cables disconnected to avoid making a loop. Obviously this doesn’t create full redundancy and since this datacenter is 6 hours away, the solution doesn’t really work. After reading the ScreenOS High Availability guide, it looks like bgroups are a supported way to get redundancy for one firewall, but not for two. We also don’t want a switch failure to also require a firewall failover, if we can prevent it, which is why we want both firewalls plugged into both switches. Is there an option or configuration that we’re missing? Rough diagram of what I'm talking about attached.
|
# ? Dec 13, 2011 00:33 |
|
ElCondemn posted:I'm having an issue with ASA version 8.4(2), I'm not sure if it's an issue with how I configured it or some change since the previous versions. I currently have 7 other firewalls running in the same fashion but with 8.0(4). Is there NAT in play or differing security levels? NAT was the major change between those two code trains. Also try running it through packet-tracer and check the output difference between the two.
|
# ? Dec 13, 2011 00:33 |
|
jbusbysack posted:Is there NAT in play or differing security levels? NAT was the major change between those two code trains. Also try running it through packet-tracer and check the output difference between the two. Sounds like a NAT issue I had on the FWSM. Check your xlate table, then clear it (not during production hours). The issue I had was that the translate was happening on the wrong interfaces...it ended up being a bug in the software.
|
# ? Dec 13, 2011 01:06 |
|
jbusbysack posted:Is there NAT in play or differing security levels? NAT was the major change between those two code trains. Also try running it through packet-tracer and check the output difference between the two. I did configure the NAT between the two interfaces. After reading some release notes I tried it with proxy-arp disabled as well as enabled route lookup which is apparently what the previous versions defaulted to but I had no luck getting that working. The first thing I did was check my log and run the packet tracer, everything seemed to be working fine but the traffic never seemed to reach the netscaler. It's possible that the issue is with the netscaler so I opened up a case with them but it's running the same configuration I've run several times before with no issue. So I'm leaning towards the ASA being the issue, since it's the only difference in this environment. For now adding static arp entries is working but it's odd that I have to do this. edit: The xlate table seems to be fine to me, I'm not seeing anything that could be translating to the wrong interface code:
ElCondemn fucked around with this message at 01:18 on Dec 13, 2011 |
# ? Dec 13, 2011 01:12 |
|
Open a TAC case as well. You may have hit a bug of some sort. Also, we haven't moved to 8.4 because of the NAT changes. Would definitely be interested in hearing any stories on it. We tried once and failed miserably and had to roll back. We're planning to go at it again in January.
|
# ? Dec 13, 2011 01:25 |
|
CaptainGimpy posted:Open a TAC case as well. You may have hit a bug of some sort. Yea I'm thinking it's a bug as well, going to open a case with TAC as soon as I get the support contract straightened out. Luckily I have a work around for now. So far I am liking the NAT changes but it is different enough that I'm not sure if I'm doing something wrong or if I'm running into bugs.
|
# ? Dec 13, 2011 01:50 |
|
madsushi posted:I have a Juniper-related networking question, but it might fall under the category of general network config anyway. If a switch fails, wouldn't that be a link failure? I know in an ASA you can monitor specific interfaces and failover if the link fails. I assume you can do the same on a juniper.
|
# ? Dec 13, 2011 04:13 |
|
Powercrazy posted:If a switch fails, wouldn't that be a link failure? I know in an ASA you can monitor specific interfaces and failover if the link fails. I assume you can do the same on a juniper. Primary/backup interfaces could work, but only if the switch fails in a link-down state. If it's a misconfiguration or some sort out of outage that doesn't cause link-down, then the Juniper doesn't know to switch over to the other link. My bgroup (bridge-group) design gets around this because both interfaces are active, but I can't figure out how to get both firewalls into a bgroup config without creating a loop. We had an issue with a NAP tech misconfiguring a switch and don't want to have a repeat of that outage.
|
# ? Dec 13, 2011 04:39 |
|
CaptainGimpy posted:Open a TAC case as well. You may have hit a bug of some sort. I think the 8.3+ real IP NAT makes more sense once you get used to it, but be prepared to do a lot of troubleshooting and a lot of slamming your head against the wall. Also remember the RAM requirements are different between 8.2 and 8.3+ (512MB vs 2GB, I think).
|
# ? Dec 13, 2011 08:59 |
|
madsushi posted:Primary/backup interfaces could work, but only if the switch fails in a link-down state. If it's a misconfiguration or some sort out of outage that doesn't cause link-down, then the Juniper doesn't know to switch over to the other link. My bgroup (bridge-group) design gets around this because both interfaces are active, but I can't figure out how to get both firewalls into a bgroup config without creating a loop. We had an issue with a NAP tech misconfiguring a switch and don't want to have a repeat of that outage. The other option you have is change to routed interfaces and run some kind of routing protocol. But that would require a pretty drastic redesign.
|
# ? Dec 13, 2011 16:02 |
|
ElCondemn posted:Yea I'm thinking it's a bug as well, going to open a case with TAC as soon as I get the support contract straightened out. Luckily I have a work around for now. Can you post debug arp output? Probably a capture on the netscaler and "other" interface as well.
|
# ? Dec 13, 2011 20:42 |
|
My friend's workplace is trying to put a VPN in place, so that a few users can connect to a fileshare from home. They have a UC-540, but I don't really know much about Cisco to give him an answer to this. The office has a DSL connection which has a static IP. They had a contractor in there who initially set up the router, but he said that VPN (and port forwarding for some reason...) won't work on the UC-540 unless you also tell the router what the IP address and the gateway is (keep in mind that they are PPPOE, and it's auto assigned and never changes). Basically, the contractor is saying that, on top of the PPPOE login, that you also have to enter the IP/Gateway info into the router or else VPN and port forwarding will not work. (Note that they want to use the Cisco VPN client.) He said the contractor mumbled something about self-signed certificates and such and while I can sort of understand why this might impede VPN functionality, I can't see where this would matter for port forwarding? My question, is this contractor an idiot/BS'ing him/actually telling the truth? DBMaster fucked around with this message at 21:38 on Dec 13, 2011 |
# ? Dec 13, 2011 21:31 |
|
Has anyone gotten nmap to work in Windows 7? I don't have my *bsd or *nix VM right now and I'd really like to do some scanning. Alternatively is there an equivalent tool?
|
# ? Dec 13, 2011 21:38 |
|
In Cisco Call Manager 8.5 (Not Express), is there any way possible to have an intercom line auto-answer to the speakerphone without being muted? I know the functionality exists in Express, but I can't find the option anywhere in call manager.
|
# ? Dec 13, 2011 21:39 |
|
Tremblay posted:Can you post debug arp output? The arp request seems to be going to the correct interface, if that's right it might not be a problem with the ASA. I'm going to see if I can span from the switch and capture from the netscaler later today. I found someone with a similar problem. https://supportforums.cisco.com/thread/2114123
|
# ? Dec 13, 2011 22:16 |
|
ElCondemn posted:The arp request seems to be going to the correct interface, if that's right it might not be a problem with the ASA. Yeah want to make sure that ASA is actually ARPing for the next hop correctly. If it can't resolve the next hop for some reason then the traffic gets black holed. Might want to double check your route table and make sure that matches up as well.
|
# ? Dec 13, 2011 23:09 |
|
Tremblay posted:Yeah want to make sure that ASA is actually ARPing for the next hop correctly. If it can't resolve the next hop for some reason then the traffic gets black holed. Might want to double check your route table and make sure that matches up as well. Do I need a next hop for a directly connected network? My tcpdump on the netscaler isn't showing the ARP, I'm going to have to go down to our datacenter to do a SPAN on the switch.
|
# ? Dec 13, 2011 23:20 |
|
ElCondemn posted:Do I need a next hop for a directly connected network? My tcpdump on the netscaler isn't showing the ARP, I'm going to have to go down to our datacenter to do a SPAN on the switch. If it's a directly connected network, no.
|
# ? Dec 14, 2011 00:12 |
|
Tremblay posted:If it's a directly connected network, no. Yea, that's the issue I'm having. I shouldn't be having issues with send arp on the firewall for a directly connected network.
|
# ? Dec 14, 2011 03:31 |
|
Powercrazy posted:Has anyone gotten nmap to work in Windows 7? I don't have my *bsd or *nix VM right now and I'd really like to do some scanning.
|
# ? Dec 14, 2011 04:21 |
|
|
# ? May 14, 2024 12:58 |
|
Dang. It is fubard on my laptop right now. Keeps complaining about not having a route to the network, even though I know it does. When I did a google search for the problem, it seems that it is a known issue with *bsd implementations, which I assume has been ported over to windows. Oh well, guess I'll wait until I can get my VM spun up.
|
# ? Dec 14, 2011 16:31 |