|
gooby pls posted:In UCS training at Cisco this week. Our teacher has SEVEN CCIEs. Just...how. What's their name? I may know their daughter.
|
# ? Feb 5, 2016 01:07 |
|
|
# ? May 30, 2024 12:12 |
|
psydude posted:What's their name? I may know their daughter. Mike C. out of Maryland. Teaches for firefly.
|
# ? Feb 5, 2016 01:12 |
|
falz posted:Counterpoint: RANCID diffs are extremely chatty and filled with revision changes of botnet and av database updates. It seems that whatever command spits out your config always includes that versioning too. Lame. You can edit your RANCID modules to filter out a lot of the chatty poo poo, I end up with slightly custom modules for most devices.
|
# ? Feb 5, 2016 01:21 |
|
madsushi posted:You can edit your RANCID modules to filter out a lot of the chatty poo poo, I end up with slightly custom modules for most devices. Yeah, but retaining special patches to re apply after updating packages sucks. But usually necessary. RANCID 3 did do a nice job of letting one specify modules which helps in many cases, just not this one.
|
# ? Feb 5, 2016 01:27 |
|
gooby pls posted:Mike C. out of Maryland. Teaches for firefly. Yep. His daughter is but a mere single CCIE holder.
|
# ? Feb 5, 2016 02:20 |
|
falz posted:Counterpoint: RANCID diffs are extremely chatty and filled with revision changes of botnet and av database updates. It seems that whatever command spits out your config always includes that versioning too. Lame. I didn't even use RANCID for this, I just made sure I downloaded a copy of the config from the UI before I made any changes. Low tech but saved my rear end at least twice.
|
# ? Feb 5, 2016 04:13 |
|
gooby pls posted:In UCS training at Cisco this week. Our teacher has SEVEN CCIEs. Just...how. It becomes a bit of a game at that point since as soon as a new path is released a few people rush to be the first x time ccie. I work with a few multiple ccies and while they definitely know their stuff and are supremely intelligent, they likely won't use all of their certs in work, at least for what we do. Not in any way dissing the accomplishments.
|
# ? Feb 6, 2016 14:57 |
|
You would have to spend a great amount of your time recertifying for all of those, I would imagine that would be a part of each day, forever. I don't see the benefit for the person outside of getting a higher paycheck because their org can say they have X ccie certs on staff.
|
# ? Feb 6, 2016 18:24 |
|
falz posted:You would have to spend a great amount of your time recertifying for all of those, I would imagine that would be a part of each day, forever. If you're the kind of person that pursues every CCIE it's likely you really enjoy labing and studying for them.
|
# ? Feb 6, 2016 18:26 |
|
Right, but is there time to actually do anything but study? I do realize that some people enjoy studying, and if they get paid to study, then that's a win for them I guess.
|
# ? Feb 6, 2016 19:38 |
|
That Ferrari isn't going to buy itself, you know.
|
# ? Feb 6, 2016 19:44 |
|
falz posted:You would have to spend a great amount of your time recertifying for all of those, I would imagine that would be a part of each day, forever. If you re-certify for one it'll go ahead and re-up them all. The recertification process is basically "go pass any CCIE written exam" so as long as you stay current on at least 1 technology you can maintain all of them. The only time you have to re-take a lab is when you let one expire.
|
# ? Feb 6, 2016 20:37 |
|
DoD deployments: 10% engineering, 90% managing red-tape.
|
# ? Feb 10, 2016 15:38 |
|
1000101 posted:If you re-certify for one it'll go ahead and re-up them all. The recertification process is basically "go pass any CCIE written exam" so as long as you stay current on at least 1 technology you can maintain all of them. The only time you have to re-take a lab is when you let one expire. Yeah, there are a lot of people inside of Cisco at least who have more than one and are trying for a new one every few years. As long as you can pass the written for the one you're trying for, it recerts you for everything you already have and you don't have to worry about it. This also applies to lower certs like CCNA and CCNP - you can refresh them by passing the CCIE written, not that anyone cares too much about those earlier certs once you manage to pass the lab as well. Eletriarnation fucked around with this message at 16:55 on Feb 10, 2016 |
# ? Feb 10, 2016 16:52 |
|
On a Cisco ASA, is there a way to set up the AnyConnect VPN profile to let users toggle "split tunnel" on and off themselves? I'm more familiar with OpenVPN, where this is possible on the client side, but I cannot find anything similar for ASA/AnyConnect. The best I can come up with is creating two profiles, one with it on and one with it off, and having users pick at login. Which works, but will generate a bunch of tickets about "HALP A NEW CHOICE APPEARED WAT DO?" Split tunnel is what I want for the vast bulk of our users. I don't want them streaming Spotify or whatever through the VPN. There's just a few special snowflakes that need full tunneling enabled from time to time who I need to accommodate as painlessly as possible.
|
# ? Feb 10, 2016 19:46 |
|
Docjowles posted:On a Cisco ASA, is there a way to set up the AnyConnect VPN profile to let users toggle "split tunnel" on and off themselves? I'm more familiar with OpenVPN, where this is possible on the client side, but I cannot find anything similar for ASA/AnyConnect. The best I can come up with is creating two profiles, one with it on and one with it off, and having users pick at login. Which works, but will generate a bunch of tickets about "HALP A NEW CHOICE APPEARED WAT DO?" The best way to do this is to create two group policies, one with split tunnel and one without, create a full-tunneling security group in active directory and then query that attribute when they log in to determine which group policy to apply. You can also use this to provide different address pools and other things to further differentiate between user groups. Here's some reading on it: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html e: I see that you want it as a "sometimes" thing. I don't know if there's a way to do that. Your best option is probably to configure two different profiles, name one "USE THIS, ASSHOLES" or something idiot-proof, and tell those people who need the full tunneling to select the second option when they need it. psydude fucked around with this message at 20:04 on Feb 10, 2016 |
# ? Feb 10, 2016 19:54 |
|
e; better answer^
|
# ? Feb 10, 2016 19:57 |
|
Also, happy Wednesday! Now everyone get ready to patch your ASAs.
|
# ? Feb 10, 2016 20:16 |
|
psydude posted:The best way to do this is to create two group policies, one with split tunnel and one without, create a full-tunneling security group in active directory and then query that attribute when they log in to determine which group policy to apply. You can also use this to provide different address pools and other things to further differentiate between user groups. Thanks, the group policy thing is probably what I will end up doing. Exactly because no matter how clearly I label the different profiles, someone will still get confused. Is this document up to date? Seems to indicate that group membership doesn't work well, because a user is going to belong to multiple groups and that confuses the ASA. But I can stick it in some other field we don't currently use, which is fine. psydude posted:Also, happy Wednesday! Now everyone get ready to patch your ASAs. are-you-loving-kidding.jpg
|
# ? Feb 10, 2016 20:21 |
|
More details: https://blog.exodusintel.com/2016/01/26/firewall-hacking/ Literally just decomm'd my last 5585-X last week.
|
# ? Feb 10, 2016 20:48 |
|
psydude posted:Also, happy Wednesday! Now everyone get ready to patch your ASAs. gently caress yeah, I can plan a bunch of stuff for the total outage this will require.
|
# ? Feb 10, 2016 21:30 |
|
psydude posted:Also, happy Wednesday! Now everyone get ready to patch your ASAs. Does this mean anyone on the Internet can send these UDP packets to the firewall or does the packets need to come from already site-to-site VPN sessions?
|
# ? Feb 10, 2016 22:52 |
|
Bluecobra posted:
Not sure, but even so it wouldn't be hard to do some reconnaissance on what the potential peers may be and then spoof the address of the packets.
|
# ? Feb 11, 2016 01:12 |
|
If you use radius you can easily make a web portal with a big ol' toggle to manage group memberships at least. You could probably also use dns or hostnames to manage where people hit a concentrator or something, we used to do that but it was multiple appliances on the end of that arrangement.
|
# ? Feb 11, 2016 02:20 |
|
Slickdrac posted:gently caress yeah, I can plan a bunch of stuff for the total outage this will require. I dunno how long it takes your ASA to reload, but mine come back up in a matter of minutes.
|
# ? Feb 11, 2016 17:55 |
|
Richard Noggin posted:I dunno how long it takes your ASA to reload, but mine come back up in a matter of minutes. Ours are so out of date, they have to do the two step update. So I'm claiming 5 minutes per reboot, plus 10 minutes to upload 2nd IOS between them for the outage notification. I can do a lot in a 20 minute window.
|
# ? Feb 11, 2016 18:20 |
|
Hi I'm back with today's edition of "lol wtf is this giant ASA config I've inherited doing?" I found that from a remote location, I could not ping anything behind the ASA. I could SSH/RDP/etc to everything, and even ping the inside interface, but explicitly NOT ping the servers attached to it. There's a global "permit icmp any any" rule and nothing more specific that would override it. ICMP inspection was enabled in the default inspection policy. Finally, after trying everything else I could think of, I turned OFF ICMP inspection. Pings immediately began to work. This is like 100% contrary to everything I've ever read about enabling pings to pass the ASA. Why did this happen? There is a second service policy besides the default, which turns on tcp-state-bypass. Is this setting conflicting with the inspect icmp setting? If I leave inspect icmp off, is that going to cause problems elsewhere? Here's the relevant config sections, before I disabled inspect icmp: code:
|
# ? Feb 11, 2016 20:49 |
|
Docjowles posted:Hi I'm back with today's edition of "lol wtf is this giant ASA config I've inherited doing?" If you have tcp-state-bypass enabled, some traffic is likely routing asymmetrically (so it travels out through the firewall, but the return traffic is direct behind the firewall, or in this case likely vice versa). If ICMP inspect was blocking pings in a situation like this I'd go capture the outside interface to ensure the pings are returning to verify the return pings are being blocked by inspection.
|
# ? Feb 11, 2016 21:23 |
|
If you re-enable ICMP inspection and do a packet trace, where is it dropped? If you then remove the icmp ACL (leaving inspection on), what happens?
|
# ? Feb 11, 2016 21:26 |
|
I opened a case with TAC on CVE-2016-1287 and they claim that only existing VPN peers can send the malicious traffic. Take that with a grain of salt as I don't think they understand my question. Somone came up with a control plane ACL to whitelist VPN peers that can help you buy some time before you upgrade your ASA: http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation
|
# ? Feb 12, 2016 16:14 |
|
Bluecobra posted:I opened a case with TAC on CVE-2016-1287 and they claim that only existing VPN peers can send the malicious traffic. I wouldn't trust this, just upgrade your god drat ASAs.
|
# ? Feb 12, 2016 16:21 |
|
DeNofa posted:I wouldn't trust this, just upgrade your god drat ASAs. People I work with don't believe in updates/patches. I am sure there are other people out there just like this.
|
# ? Feb 12, 2016 17:06 |
|
Moey posted:People I work with don't believe in updates/patches. I am sure there are other people out there just like this. Anyone who doesn't believe updates or patches when they involve a RCE (Remote Code Exploit) should be removed from their place of work. I can get behind not upgrading because of some odd vulnerability in a protocol you don't use.
|
# ? Feb 12, 2016 17:53 |
|
I just finished upgrading every drat ASA in our environment. Ran into one significant issue, if you're using identity NATs you need to disabled proxy-arp. It can/does cause your firewall to seemingly lose all it's arp entries. This should only be an issue for people upgrading from below 8.4 but I had several that were on 8.4(2) that didn't have a problem before the upgrade to 9.1(7). Specifically in our environment we have a DMZ network with our load balancers in them. My load balancers and firewalls could ping each other, but none of the virtual servers were reachable until I disabled proxy-arp. This did not affect normal translations.
|
# ? Feb 12, 2016 18:49 |
|
I've got three ASAs to update on Tuesday, and I'll be doing all our other firewalls that don't run IKE later in the same week. poo poo sucks, of course it happens before my project to re-do our ipsec topology removes the need for them.
|
# ? Feb 13, 2016 02:13 |
|
abigserve posted:I've got three ASAs to update on Tuesday, and I'll be doing all our other firewalls that don't run IKE later in the same week. poo poo sucks, of course it happens before my project to re-do our ipsec topology removes the need for them. As I've posted before, I work for a company that hosts, lets say, a 'fuckton' of ASAs. Many of them are pre-8.3 code. All of them need to be updated. The first batch update is tonight. My night off. I feel like I just became the lead character in the Cisco version of Final Destination. Like the updates are going to find me.
|
# ? Feb 13, 2016 02:47 |
|
Thanks all for the ASA troubleshooting suggestions. I'll dig into it next week as time allows and post if I find anything useful. The immediate problem is resolved so at this point it's more for my own education. I'm a Linux admin who understands networking well enough conceptually, but not the specific nuances of ASA's, so I appreciate the pointers. We do have asymmetric routing in/out of this facility. Doing a traceroute out, the first couple hops are not the same as the last couple hops coming in from the other end. So I assume that's why the tcp-state-bypass line exists. The upstream devices are controlled by our parent company and I have no visibility into their config, which made troubleshooting this even more horrible. They verified nothing on their end is stopping ICMP from passing but that's it. edit: I don't have the exact log line handy, but what led me to disable ICMP inspection was lines something like "Denied ICMP type=11, from laddr <remote host> on interface <outside> to <internal host>: no matching session" Docjowles fucked around with this message at 03:15 on Feb 13, 2016 |
# ? Feb 13, 2016 03:11 |
|
I am fairly certain that the issue applies even you don't have any sort of IPSec VPN configured on the ASA as the advisory on Cisco's website does not list any workarounds (like disabling ISAKMP): https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike I upgraded three ASAs from pre 8.3 to 9.1(7) on the fly today for different clients. The first wave of mass upgrades starts tonight. Much like Jedi425, we have a "fuckton" of these things deployed, with a pretty diverse spread of code versions. Fun times. Antillie fucked around with this message at 05:58 on Feb 13, 2016 |
# ? Feb 13, 2016 05:48 |
|
Antillie posted:I am fairly certain that the issue applies even you don't have any sort of IPSec VPN configured on the ASA as the advisory on Cisco's website does not list any workarounds (like disabling ISAKMP): https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike Yeah the way it was told to me was: "Do a 'sh run | i crypto-map', did you get output? If so, you're hosed."
|
# ? Feb 13, 2016 06:12 |
|
|
# ? May 30, 2024 12:12 |
|
Enjoy upgrading ram and flash on most of those so you can upgrade.
|
# ? Feb 13, 2016 15:44 |