[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I'm going for network engineer/security engineer position with a local company and part of the job is creating secure architecture diagrams, which I don't any experience with and need much information regarding this topic.  

I'd like to know what tools are available, both paid and non-paid, utilities.  Also, where can I get a crash course on this subject and maybe some type of hands-on soonest?  The meat of the position is identifying threats and mitigations, but I would like the position and again, I'm weak on documention skills.
0
Become a Microsoft Certified Solutions Expert
LVL 12
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

IPSEC Tunnel Fails 2x2921

I tried putting a routing statement but no change.  NO PRIVATE INFO: I'll change the crypto key once I get this working.

ip route 192.168.175.0 255.255.255.0 192.168.176.1

ip route 192.168.176.0 255.255.255.0 192.168.175.1
Diagram!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 1 @@@@@@@@@@@@@@@@@@@@@@@@!!!!
localrtr#sh run
hostname localrtr
boot-start-marker
boot-end-marker
enable secret 5 $1$A3Kg$TZeqZI6QF3r.S4nu80fZJ1
no aaa new-model
!
ip domain name mydomain.com
ip cef
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 05190900355E41060D
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 192.168.168.236
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.168.236
 set transform-set TS
 match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.235 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.175.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description MGNT_10_10_10_15
 switchport access vlan 200
 no ip address
!
interface Vlan200
 ip address 10.10.10.15 255.255.255.224
!
ip access-list extended VPN_TRAFFIC
 …
0
Hi, i have 4 Cisco APs (AIR-AP1261N-A-K9)
currently connected to 100mb switch port (configured as trunk)
i was hoping to get better performance by moving the APs to a gb port.

two issues:

(1)      when i connect this AP to a 1gb switch port, i don't get a link light

      i've tried replacing network cables, new PoE adaptor. no luck.  connecting to any 100mb port and i see
      a link light making me think it's a speed issue.  the AP's single ethernet port is Gb:

      interface GigabitEthernet0
       no ip address
       no ip route-cache
       duplex auto
       speed auto
       no keepalive

(2)      the other issue is the performance when accessing the network via these APs is terrible.
      when i carry out iperf3 end to end tests, i see bw figures like:  6.12, 4.21, 10.5, 7.77 Mbits/sec

      for reference when doing iperf3 tests using direct wired to a 1gb port i see average bw
      of 932 Mbits/sec and on a 100mb port switch, i see 93.8 Mbits/sec.  all relatively normal.

are these APs even capable of better throughput?
0
Trying to get VRF forwarding on an interface in Cisco IOS 15.4.  We currently have a router with 15.2 and have no trouble with it:

interface FastEthernet0/0/3
 switchport access vlan 3
 ip vrf forwarding INTERNAL
 no ip address


But when I try to configure this on the 15.4 router, I get an error:

Test(config)#int f0/1/3
Test(config-if)#ip vrf forwarding INTERNAL
                   ^
% Invalid input detected at '^' marker.

Test(config-if)#


IP vrf isn't an option:
Test(config-if)#ip ?
Interface IP configuration subcommands:
  address     Set the IP address of an interface
  admission   Apply Network Admission Control
  auth-proxy  Apply authentication proxy
  ddns        Configure dynamic DNS
  device      IP device tracking
  dhcp        Configure DHCP parameters for this interface
  igmp        IGMP interface commands
  rsvp        RSVP Interface Commands

Test(config-if)#ip



I do have vrf configured in the global:

ip vrf INTERNAL
 description Trusted Network
 rd xxxxx:10
!
ip vrf INTERNET
 description Internet Traffic
 rd xxxxx:20
 inter-as-hybrid


Any ideas what I'm missing here?
0
I need to read through 1000's of config files and get a list of all VLANs, their description and their IP address and mask. The data looks like:

interface Vlan100
  description Just a vlan
  no shutdown
  no ip redirects
  ip address 1.1.1.1/26

interface Vlan200
  description Just aother vlan
  no shutdown
  no ip redirects
  ip address 2.2.2.2/26

And there lots of other configuration data in the config file that I don't care about. What I have right now is a python program that opens the config file, and reads through looking for 3 strings: "interface Vlan", "  description", and "ip address". The problem, if you know Cisco, is that 2 of those strings occur in places other than vlan definitions.

I am trying to work through the logic of:

Find the line that contains "interface Vlan"
Write that line
and read the lines looking for "description" and "ip address" UNTIL I find another line that says "interface Vlan"

Make sense? I can run the python script now and then delete all the lines up until the first VLAN line and then delete all the lines afterword. But that will be very time consuming for all the files I have to work with.

Thanks in advance for your help.

Steve
0
We use Cisco StealthWatch and are disturbed at some of the activity we're seeing.

What's the best technique to research large downloads/uploads from a particular IP address, such as:  168.62.9.111 transferring 3 gigs?

Per https://myip.ms/info/whois/168.62.9.111 , I see this is registered to Microsoft so I don't think it's malicious.

The only IP's I've been able to figure out so are:
OneDrive:                   13.107.136.9
Windows Update:     13.107.4.50

Is there good site that knows what IPs microsoft uses and for what purpose?

Thanks,
Mike
0
Hi All,


I am having an issue with my Azure subnets (10.210.0.0/16, 10.211.0.0/16) being able to access my prem subnets over a S2S VPN tunnel.  So currently everything is work fine from my inside internal range (10.1.1.0/24).  As an example when I try to access say ports 88,53,389 etc from the Azure controllers (10.211.20.10, 10.211.20.11) to the Prem Controller (10.1.1.159) it is fine, but when I try to access them from the same Azure controllers to say another local controller 10.1.90.14 I get the following error in the log:


FILTER:srcIP=10.211.20.10;dstIP=10.1.90.14;

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to
NAT reverse path failure.


When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.


Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.211.20.10/57160 dst ED:10.1.90.14/53 denied due to NAT reverse path failure


Now this is the current NAT:


nat (inside,outside) source static OnPremisesNetworks OnPremisesNetworks destination static Azure-Networks Azure-Networks no-proxy-arp route-lookup


The OnPremisesNetworks group object has the inside networks …
0
Hello experts,

I am at a site and they use cisco WLC 5500 wireless controller and they have defined all the SSIDs , one of the SSID is the guest and I am checking the interface defined and it is clearly showing that it is on VLAN 50 the IP of the interface is given, plus the gateway which is same as the primary DHCP 10.20.10.1.

I checked the core switch and there is VLAN 50 but just the vlan is defined but there is no SVI for vlan 50 and there are no DHCP services on the core, I checked the Microsoft servers and I do not see the scope for vlan 50. I am wondering how the clients are getting a dhcp IP when they access the guest SSID. I can not find this gateway or primary DHCP 10.20.10.1

This client also uses cisco ISE, I have access to the cisco ISE but it uses different IP and I do have access to it but I am not getting clarity on this network, Any suggestions on how to find this dhcp server or service will be great help.
0
hi guys

I was looking into cloud switching, such as the tools being offered by Cisco Meraki. They keep saying that you can have your switches in the cloud. But I'm trying to understand how that would work.

Would that mean that in my organisation which consists of two stacks of x 7 switches, totalling 14 switches, that I would suddenly no longer need that anymore if I implemented Meraki's?

We have around 300 people in our office. All of those people have to be connected/patched to a port on the wall and those need to be patched into a switch.  I can't exactly get rid of those physical switches can I? So I'm not really understanding the whole cloud switching situation with Meraki's?

Or have I totally misunderstood the cloud switching scenario?

thanks for helping
Yash
0
Hi,
Can someone please help me understand how a certificate works on a firewall. The concept and how the firewalls authenticate certs.
The scenario is a Fortigate 100d with a cisco ASA (3rd party) Certificate based VPN.

We have setup a tunnel however i don't see many logs due to firewall in shared datacentre managed external. However they do not support certificate based VPN tunnels.
We initially setup on pre shared key and was fine. So we know all the other settings are correct.

We have created a CSR on the fortigate and completed this with a CA "Digicert" we have loaded the cert into the firewall (Fortigate using web gui) We have received the Certificate Authority (Go Daddy from external 3rd party and installed these. Now remote_Cert1 2 etc.
We have setup the VPN tunnel to use the Peer certificate and pointed to 1 of the Go Daddy Remote-Certs. No option on a Fortigate to use 2 certs.

The info we are getting from the Cisco side debug is as follows

IPSEC An inbound LAN to LAN SA xxx between IP and IP (user==IP has been created
same and outbound LAN to LAN created
AAA retrieved default group policy IP for user =IP
local remote connection established. then it say an IPSEC inbound/outbound LAN to LAN has been deleted.

The CIsco (3rd party side have no experience on Fortigate( they are seeing a message saying our certificate has been successfully validated SN x subject name CN = company etc.

The tunnel won't come up on the fortigate. So any info on …
0
Identify and Prevent Potential Cyber-threats
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Anyone have any experience with Cisco Cloud Email Security with the AMP add-on? We are currently using Office 365 for email and are looking for a more robust email security platform.

The Cisco solution is one we are looking into, does anyone else have any experience with any others or would be able to make any recommendations?

If you have used Cisco CES, how is it working out? Is there a big difference vs Office 365's built in security features?
0
Hi. Got a cisco ASA 5505 that we need to set up a VPN to another site (SITE2). The issue is that Site2 already has a VPN to another site that has the same subnet as ours. We have been advised that SITE2 will allow our external IP address through the VPN tunnel instead of our local subnet. We need to NAT out local clients pcs (172.16.1.x) to our external IP address.

What commands will we need to do this? Running v9.2

Thanks,
0
We are currently using a Meraki MX84 for VPN.  It connects to our Active Directory to authenticate users.
I am setting up a Duo Authentication Proxy to tie into my Meraki MX84 so I can have Multi-Factor Authentication on my VPN.  The Duo Auth Proxy is asking for a Radius Secret from the Meraki.  I am not sure where to setup the connection on the Meraki side.  Am I setting up sign in with my Radius Server under Access control?
0
I have a cisco 3750G POE 24 switch, and it's not booting.  I have uploaded a new IOS via TFTP, did a reload, and now I'm at the switch: prompt
I have included a picture, I have tried a few things, but nothing I'm trying worked.  Any suggestions how I can get the switch to boot correctly?

ciscoboot
0
I have a new Cisco ASA 5506x and am having difficulty setting up remote management.

SSH on the outside address will work, and is set to accept connection from only specific IPs.  However, I would like to be able to use ASDM from outside as well. (My IOS skills suck.) Using the same IPs as the ssh command does not work, and the client gets a "unable to launch device manager from ..."  

I have Anyconnect VPN working as well, and when connected, I can ping all addresses on the inside network, including the management IP. (same as gateway address) Device is configured to use inside address 10.0.12.0/24, and VPN pool is 10.0.13.0/24.  

I have ' management-access inside'  entered in the configuration, and yes when a PC is connected to the inside ports, the ASDM will come up and run as expected.

I think what is killing this is the default configuration now comes with all the ports on the device (less 'outside') are joined to a bridged network that is by default BVI1. All remaining interfaces are given the nameif of 'inside-1' thru 'inside-7'. To make http work on the inside ports requires adding lines 'http 10.0.12.0 255.255.255.0 inside-1' thru ...inside-7.  If I add 'http 10.0.12.0 255.255.255.0 inside' or http 10.0.13.0 255.255.255.0 inside' it barks at me that this is an 'ambiguous command'.  (same thing if trying to add BVI1) So clearly it wants to reference something that is a physical connection instead of a virtual object.  Problem is that the only other options …
0
Our company has installed a couples of Cisco 2960x stacked up with FlexStack plus. Our security team is concerned about the illegal administrative logon  We need to identity those failed logon either through the vty console or SSH session.

We have done some research and will try to use the following login on-failure log every 1 and login on-success log every 1 to identify and monitor those unsuccessful and successful logon for review.

In order to achieve such requirement, we would like to know it is mandatory or a must to use the "logging <ip address>" to export the logging result to a remote syslog server ? We do Not have a remote syslog server on our infrastructure at the moment. Is it technically possible to use a local buffered logging repository on the Switch to store such login failure/success audit log records instead for the time being ?

Thank you so much for your kind advice in advance.


Regards
Patrick
0
Hi,
I need your advice about this scenario. I have to configure cisco ASA and Fortigate firewalls to bring High Avalaibilty to my headquater. Is it possible? How can I do it?

Thanks,

Best Regards,
Aristide Akaffou
0
I have a domain name that is used to connect Cisco Anyconnect clients to a Cisco ASA 5516.  I just renewed my SSL cert and GoDaddy sent me 2 x .CRT files.   When I called cisco for help installing this SSL CERT they said I need to have it in .PFX format.   Godaddy only gives out CRT files.   How do I get the PFX format that Cisco is requesting?  I dont recall having to do this last year.
0
Just found out that Cisco ASA does not make layer 2 tunnels :-(  Does anyone have a recommendations for what device(s) to use?
**** What license do I need to configuring Layer 2 Tunneling Protocol (L2TP) over IPSec on a 2921? **** FOUND IT: DATA = MPLS, BFD, RSVP, L2VPN, L2TPv3, IP-SLA
.
1) NAT overload the ISP IP for outgoing Internet traffic
2) Port map outside customers into the local network to access servers (https, scp)
3) make layer 2 tunnels out to remote sites (using static ISP IP addresses)

I'd prefer to use only 2921 routers but I can use a FW<->RTR combination....
0
Become a CompTIA Certified Healthcare IT Tech
LVL 12
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

I got the following error While trying to install Cisco AnyConnect Secure Mobility Client Version 4.7.00136 predeploy. "There is a problem with this Windows Installer package. A program run as a part of the setup did not finish as expected. contact your support personnel or package vendor".

i am trying to install this on Windows 10 Version 1803 OS build 17134.441

Your help is greatly appreciated.
0
Dear Experts,

I am at a client location today and they have a local server that will be accessing different sites with various ports. The client has ASA firewall and Cisco Firepower my question is do I add the access rules in Firepower or directly in ASA?

I am always not sure and the client has no preference.

Please let me know from your experience how to tackle this .

Thanks,
0
Inherited a Cisco ASA and I have an IPSec tunnel configured and working great, however, I am trying to figure out which hosts are using this tunnel

Since the tunnel is encrypted, I can not seem to capture any packets

I see the peer ip for the tunnel, and the destination being the outside public ip of the ASA,  it need to the the host that is initiating this tunnel

Appreciate any insights, thanks
0
Problem with MPLS VPNv4 setup. IGP is visible to Customers. BGP session seems to be up. What am I doing wrong? Cisco IOU setup using GNS3. IOS 15
PE1_startup-config.cfg
PE2_startup-config.cfg
P1_startup-config.cfg
0
If I have two SIP routes - model 2951 ISRs CUBE - and you want call manager to
failover if one of them can't complete a call - what is required? We currently have
a SIP trunk to one ISR (and the ISR has a TIP trunk to our call center). For redundancy
we want to add a second ISR/SIP Trunk. But the second should only be used in the
event that the SIP peering on the primary goes down. Advice appreciated.
0
Hello gents,

I am at a customer site and they have a server in the internal zone, the network has Cisco ASA firewall.

They have a developer and on the server he wants to open ports 7000-7200, Do I use the Cisco ASA to open these ports ? or is this done on the server only.

I am not sure how to address this I need clarity on such type of requests from clients,

Thanks,
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).