Kenfoldsfive posted:My understanding of it is APs in normal mode will detect rogues with no access protection (wep/wpa/etc), connect to them, and then try to ping the WLC to determine if it's a wired rogue. An AP in rogue detector mode will turn its radios off and sniff ARP traffic on the LAN, which it correlates with detected AP MACs - if a MAC appears on both a rogue AP and in an ARP request, you've got a rogue on the LAN. The WLC can have switches added via snmp communities and search your infrastructure for the offending device. You won't need a device turned off in rogue detection to find a rogue on the wire when setup this way.
|
|
# ? Jun 26, 2012 18:19 |
|
|
# ? May 31, 2024 19:01 |
|
Strange question - is there some changes we should make to our Cisco ASA 5510 to make it more Mac OS X Lion friendly, or WiMax compatible? We have one remote user that suddenly lost VPN access after upgrading to Lion. They only have WiMax Internet at their house. We have other Lion users that connect without issue. I blame his ISP, but they say nothing changed on their end (things just happened to stop working when he upgraded). He connects, nothing works over the connection, then it drops. This is repeated every 20 seconds, for 1 minute (before it drops the connection), in his /var/log/system.log: code:
Again, I blame his ISP. He can use VPN just fine from a Hotel or on Guest WiFi. I spoke with his ISP's tech support over the phone, and they said it was absolutely not them, as other members connect via VPN just fine.
|
# ? Jun 26, 2012 18:55 |
|
Speaking of devices running hot, I have three ASA 5505's on my desk, and I'm pretty sure you could use them as an impromptu cooking surface. I was pretty sure you could fry an egg on the back of a 1130 AP, but I'm positive you could fry an egg on an upside-down 5505.
|
# ? Jun 26, 2012 19:15 |
|
Who turns an asa upside down?
|
# ? Jun 26, 2012 19:17 |
|
Xenomorph posted:Again, I blame his ISP. He can use VPN just fine from a Hotel or on Guest WiFi. I spoke with his ISP's tech support over the phone, and they said it was absolutely not them, as other members connect via VPN just fine. Oh the unending joy of client VPN. I don't have any suggestions, but if you figure it out, please share- I'm very nearly about to be supporting a osx fleet doing client VPN to ASAs.
|
# ? Jun 26, 2012 19:18 |
|
Nitr0 posted:Who turns an asa upside down? I will from now on, when frying eggs.
|
# ? Jun 26, 2012 19:18 |
|
They have these cool things called frying pans now and you don't have to cook your food on your electronics. It's crazy I know but just trust me on this one.
|
# ? Jun 26, 2012 19:48 |
Xenomorph posted:Strange question - is there some changes we should make to our Cisco ASA 5510 to make it more Mac OS X Lion friendly, or WiMax compatible? What version of code do you have on the ASA they connect to? And what Version of the VPN client? I've noticed issues in different versions of Mac OS that cause random issues for clients like you have. Cisco has pushed some updates to some of those problems
|
|
# ? Jun 26, 2012 19:52 |
|
jwh posted:Oh the unending joy of client VPN. SSL VPN....have yet to have an issue. IPSEC on the other hand, we no longer support it. That was a fun battle. Luckily an exec had an issue and he helped us push the change through. To your earlier question about the security levels, in 8.3+ it depends on whether or not you're using global rules, etc. I'll probably use them out of habit for the next few years. I wish Cisco would just deprecate stuff the minute they have a better way of doing things vs. allowing some frankenweenie combination to run (looking at you NAT control).
|
# ? Jun 26, 2012 20:34 |
|
jwh posted:Oh the unending joy of client VPN. Convert the ASA Remote tunnels into L2TP and then let them use the bu... oh wait cisco ... there's always the SSL VPN... oh wait, osx. But serious answer for xenomorph, check the end user's NAT device to make sure that IPSEC/GRE passthrough is enabled. If the router itself has some kind of VPN function then it's probably not getting NAT'd properly. CrazyLittle fucked around with this message at 20:46 on Jun 26, 2012 |
# ? Jun 26, 2012 20:42 |
|
There's an AnyConnect client for OSX that supports SSL. There was a problem when Lion 10.7 came out, but that's been corrected. They even support Linux.
|
# ? Jun 26, 2012 20:46 |
|
jwh posted:Speaking of devices running hot, I have three ASA 5505's on my desk, and I'm pretty sure you could use them as an impromptu cooking surface. We had an MRV media converter that, when you plugged an SFP+ into it, heated it up to 97C...
|
# ? Jun 26, 2012 20:57 |
|
That's the one thing I find very bizarre about the PIX/ASA Way of Doing Things(TM): interface level policy in combination with global policy. I don't see the advantage over consolidated policy in a firewall platform. On a router platform, sure, I think it can make sense, but when you're leveraging an appliance specifically or filter functionality, I just don't see what per-interface policy buys you. Worst case, do what everybody else does and allow for zone declaration, then leverage zones in your policy base. Optimally I want one access control policy and one NAT policy box-wide (excluding virtual systems or multiple contexts).
|
# ? Jun 26, 2012 21:06 |
|
Langolas posted:What version of code do you have on the ASA they connect to? And what Version of the VPN client? I've noticed issues in different versions of Mac OS that cause random issues for clients like you have. Cisco has pushed some updates to some of those problems Cisco ASA 5510, 256MB RAM ASA Version: 8.2(3) ASDM Version: 6.3(3) I know the device supports AnyConnect, but we don't have a contract with Cisco (so no access to the software). Not to mention I have no idea how to set it up. I doubt anything is wrong with our current configuration. We have another VPN server: L2TP/IPSec that I set up as a backup, and this user has issues with that as well. He said he disconnected his router and went straight from Modem to Mac. Basically, everything points to ISP; which firmly states they've changed nothing on their end and that everyone else uses VPN just fine.
|
# ? Jun 26, 2012 21:43 |
|
8.3 is beginning to fix some of that, but again, they're half assing it which is frustrating. Cisco does some pretty impressive stuff within the datacenter, but things like load balancing, WAN optimization, and end-user security stuff is so far behind it's laughable. For example, the Cisco WAAS devices are just now able to optimize signed SMB/SMBv2. That's been available on the Riverbed platform for years. Also, the reporting in each of their devices suck. The setup I had for syslog'ing info out of our ASA's was so needlessly complex because of how crappy they handle everything. I just dump everything into Splunk now and search for what I need, but it is sad that is what I had to resort to with the price tage that comes with those things.
|
# ? Jun 26, 2012 21:55 |
Xenomorph posted:Cisco ASA 5510, 256MB RAM If he's able to connect by going straight through his modem, it could be his router. Ask him what kind of router he uses at home for the hell of it, it may not be his ISP but rather a conflict from there Edit: And I have gone through what you are going through right now with some of my end users. Apple Routers that use a 10.0.0.0 ip subnet out of the box have caused my users to have all sorts of fun with VPN issues.
|
|
# ? Jun 26, 2012 22:51 |
|
Simple question perhaps. I'm putting together a small set of cisco kit. I have ICND1 passed and want to go on to ICND2 and CCNP after that. I know there's simulators but working with the actual kit is way more fun. I currently have 2 x 2950 - 24 ports and I'm looking to get 2-3 routers to play about with these. I've been told that 2621XMs would be good to have for going on with the CCNP afterwards and that 2611XMs should do as well. What are 2610s/2620s like (non XM)? The 2621XM and 2611XM don't come around too often on ebay whereas there are always some 2610/2620s. Which routers should I be aiming for idealy? ToG fucked around with this message at 00:54 on Jun 28, 2012 |
# ? Jun 28, 2012 00:10 |
|
jwh posted:Speaking of devices running hot, I have three ASA 5505's on my desk, and I'm pretty sure you could use them as an impromptu cooking surface. Really? I do too but it's not actually being used for anything and it's just slightly above ambient on all sides.
|
# ? Jun 28, 2012 00:52 |
|
Langolas posted:Edit: And I have gone through what you are going through right now with some of my end users. Apple Routers that use a 10.0.0.0 ip subnet out of the box have caused my users to have all sorts of fun with VPN issues. 10.0/16 and 192.168.0/23 are in my blacklist of networks to never use. When setting up IPSEC tunnels on a SRX do you have to consume a tunnel interface to do it? I haven't set one up personally and I have a Juniper SE telling me that the SRX240 can only do 128 IPSEC tunnels because that's the limit on tunnel interfaces. If that's the case I don't see how they are claiming it can do 1,000 IPSEC tunnels in the datasheet.
|
# ? Jun 28, 2012 05:35 |
|
FatCow posted:10.0/16 and 192.168.0/23 are in my blacklist of networks to never use. You can build separate st0 interfaces for each tunnel, or build one and make it a multipoint from my understanding. I only do IPSEC on the MX series, and we use just a single sp interface.
|
# ? Jun 28, 2012 15:12 |
|
I wish Cisco would join the 21st century here and use logical tunnel interfaces to represent, you know, tunnels, on the ASA platform.
|
# ? Jun 28, 2012 17:47 |
|
FatCow posted:10.0/16 and 192.168.0/23 are in my blacklist of networks to never use. Protip: Use 7.0.0.0/8 for your User Facing VPN tunnels. It is an address that is guarenteed not to be in use as it is a public address space that is reserved by the DoD for their own intranet. ALso it is easy to remember.
|
# ? Jun 28, 2012 19:16 |
|
Powercrazy posted:Protip: That's simultaneously the best and worst idea I've ever heard.
|
# ? Jun 28, 2012 19:39 |
|
CrazyLittle posted:That's simultaneously the best and worst idea I've ever heard. Thanks It does work well though.
|
# ? Jun 28, 2012 23:17 |
|
jwh posted:I wish Cisco would join the 21st century here and use logical tunnel interfaces to represent, you know, tunnels, on the ASA platform. But show crypto ipsec sa is so easy to read and also
|
# ? Jun 29, 2012 01:24 |
|
abigserve posted:But show crypto ipsec sa is so easy to read and also I want to find a emote animation that's just stabbing itself repeatedly in the eye sockets.
|
# ? Jun 29, 2012 01:58 |
|
Powercrazy posted:Protip:
|
# ? Jun 29, 2012 12:27 |
|
adorai posted:don't do this if you are heavily regulated. We use some dod IP space on our network and every year they make a stupid comment about the FBI showing up because of it. You should have them explain why, then follow up with them over and over until you get some sort of amazing answer. I love that auditors (at least ours) only have been to auditing school that their company provides and don't have actual experience in the field. I love sitting for hours explaining why we have XYZ configuration in place.
|
# ? Jun 29, 2012 13:36 |
|
CaptainGimpy posted:I love that auditors (at least ours) only have been to auditing school that their company provides and don't have actual experience in the field. I love sitting for hours explaining why we have XYZ configuration in place.
|
# ? Jun 29, 2012 13:45 |
|
I am a noob setting up AnyConnect VPN. While talking with TAC last night, they say that my inside interface and my address pool should be separate. Currently my inside interface directly connects into a Checkpoint firewall interface, with that interface as 192.168.5.1/24. My inside is .9, pool is .10-250. They are saying make a new pool in 192.168.6.1/24, make the inside be the .1 and the checkpoint to have an additional IP of .2. Is this true? What's the best practice regarding the inside interface addressing? I am confused.
|
# ? Jun 29, 2012 13:51 |
|
CaptainGimpy posted:You should have them explain why, then follow up with them over and over until you get some sort of amazing answer. Auditors are terrible people that are universally incompetent. Those who can't do, teach. Those who can't teach, manage. Those who can't even manage, audit.
|
# ? Jun 30, 2012 01:08 |
|
Powercrazy posted:Those who can't do, teach. I am debating on printing this poster size for my office.
|
# ? Jun 30, 2012 21:14 |
|
Powercrazy posted:Auditors are terrible people that are universally incompetent. Does that count for the whitehats that are in on assessments as well?
|
# ? Jun 30, 2012 23:35 |
|
Failed CCNA by a hair. Some questions I wasn't 100% on if you guys wouldn't mind taking a stab at them: VTP frames - Unicast or Multicast? Three switches with one link between them. Switch 1 is Root. How do I find which three connections are Designated Ports? The two pointing to the root bridge are Root Ports, correct? IPv6 features - Unicast, Multicast, and Anycast, right? When you're debugging something, to view the output, is it show debug or terminal monitor? Zuhzuhzombie!! fucked around with this message at 21:31 on Jul 2, 2012 |
# ? Jul 2, 2012 21:06 |
|
[quote="Zuhzuhzombie!!" post=""405218564"]Three switches with one link between them. Switch 1 is Root. How do I find which three connections are Designated Ports? The two pointing to the root bridge are Root Ports, correct? ... When you're debugging something, to view the output, is it show debug or terminal monitor? [/quote] sh span term mon
|
# ? Jul 2, 2012 23:41 |
|
Zuhzuhzombie!! posted:VTP frames - Unicast or Multicast? Zuhzuhzombie!! posted:IPv6 features - Unicast, Multicast, and Anycast, right? Zuhzuhzombie!! posted:When you're debugging something, to view the output, is it show debug or terminal monitor?
|
# ? Jul 3, 2012 02:08 |
|
IPv6 features: EUI-64, SLAAC, squabbling, disagreement.
|
# ? Jul 3, 2012 03:20 |
|
jwh posted:IPv6 features: EUI-64, SLAAC, squabbling, disagreement. Ridiculous header extension system. Edit: I guess it's great if you sell hardware, though.
|
# ? Jul 3, 2012 03:25 |
|
"But, but, guys! If we give everything a /64 what about in the distant future when we've colonized the solar system and we don't have enough addresses for everyones personal robot assistants!? What THEN?" - 50% of ip6 discussions on NANOG.
|
# ? Jul 3, 2012 03:57 |
|
|
# ? May 31, 2024 19:01 |
|
My only hope is that everyone responsible for IPv6 dies before the first /64 block is completely consumed.
|
# ? Jul 3, 2012 04:27 |