Cisco

22K

Solutions

40

Articles & Videos

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
0
Free learning courses: Active Directory Deep Dive
LVL 1
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Flash Dir Head

WARNING:  If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!!


I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TAC.  The basic problem was that I couldn't get the routers to route traffic in this kind of environment:



I wasn't using the firewall feature; just routing.  (The firewalls in the diagram were ASAs).

Well, the Cisco engineer couldn't figure out what was wrong, so I pulled a couple of routers out of the network and set up a small lab so the engineer could remote in and play with it.  The lab environment looked like this:



The networks were all connected with a Cisco 2950 24-port switch using VLAN and a Cisco 2601 configured as a router-on-a-stick.


I know... really old hardware, but it was just lying around collecting dust and it could do what I needed, so why not?


When I attempted to blank out the config, I couldn't get rid of the VLANs... which reminded me how frustrating VTP can be.


For example, years ago, I borrowed one of these 2950's from the datacenter where I have a few cabinets.  Before I returned it, I wiped the config.  Six months later, I get a call from their head engineer informing me that I had taken down the entire datacenter.


VTP configuration information is stored in the VLAN database, which is NOT deleted when one clears the config.  I had actually used VTP in my network, but they didn't and the VTP operating mode of all of their switches were still the default - "server".  So, when they put that switch back into production, my VTP config was pushed out across their network and every single VLAN database on every single switch was overwritten with my VLAN config.


The VLAN database is stored as a file in the flash memory.  To see it, go into privileged mode and issue a directory command for flash:



The VLAN database is stored in the file "vlan.dat".


Since Cisco represents the state-of-the-art for networking equipment, one could assume the VTP configuration could be reset by issuing a command such as "clear config vtp".  Of course, one would assume incorrectly.


You actually have to delete the file:

 


Once you've done that, you should be good to go.  Reload the switch and you'll find the VTP (and VLAN) configuration has been removed.


If you found this helpful, please click the blue "thumbs up" below!

1
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
0
Powerful tools can do wonders, but only in the right hands. Nowhere is this more obvious than with the cloud.
0
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
0
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
0
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
0

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far greater than traditional on-prem options.


During and after that shift to cloud, though, one area that still poses a struggle for many organizations is what to do with their department file shares.  I’m sure you’re thinking “there are all kinds of solutions,” and most of them are far better than a traditional network share.  I’d agree with you; however, many organizations have a workforce that is accustomed to this old process.  While solutions like SharePoint, One Drive for Business, and Dropbox are nice and have additional features, most organizations still prefer the Windows file share.  


One solution that holds promise is Microsoft’s Azure File Services.  The offering was originally intended to enable companies to move applications that interacted with file shares to Azure, and it was only accessible from Virtual Machines within the same Azure data center when it was first released.  But last year Microsoft released an update that leverages SMB 3.0 and enables users to securely connect to the shares from any location.


There are some limitations if you’re looking to deploy Azure File Services within your organization.  The biggest that I found was that not all internet service providers (ISPs), such as Comcast and Charter Spectrum, will allow port 45 access across their networks.  (Here is a list of known ISPs that do and don’t block this.)


The other major limitation at this time is while you can assign Azure AD permissions to the share, when a user connects, they have to authenticate with the Azure Storage Account and key. This requirement means that everyone is authenticating with the same account.  Microsoft is aware this is a short-coming and is supposed to be addressing it in the future with an update to the service.


These two limitations aside, I see the service being useful for organizations that need to archive data and only allow access from a limited number of individuals or systems.  As Azure storage is a low-cost retention solution, the data at rest can easily be encrypted with Azure encryption services.

If you’d like to try Azure File Services for yourself, follow these steps:

Go to the Azure management portal and log in with your account.


Make sure when naming the resource to use all lower case letters (this is a Microsoft Configuration requirement).  For Account Kind, make sure to select “General Purpose.” For our demo we’ll be using Standard performance disks and Geo-redundant Storage.  We’ve also enabled Encryption to show you how easy this function is.


Once the storage account has been created, browse to it and under File Service click Files. You see a sub screen and the Create File Share Button: click it, give your file share a name, specify how large you’d like it to be, and click Create.


Congratulations – you’ve just created your first Azure File Share.  But wait! You’re asking, “How do I connect to this file share?”


If you click on Connect it will give you the command syntax to connect from either a Windows or a Linux machine.  Remember, your ISP may be blocking port 445.  However once you do connect you can upload files and interact like a normal file share. 


Look for future updates from Microsoft on this feature to add additional security and the ability to assign individualized permissions based on Azure AD accounts.

Alternatively, if you are considering Azure for your organization but need additional expertise for deployment and management services, learn more about public cloud management services like those from Concerto Cloud. 

0
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
0
 
LVL 1

Expert Comment

by:Mihai Corbuleac
Comment Utility
People should trust cloud with their businesses especially because its seems that Cloud is here to stay. Recently I read some interesting facts & figures and this industry is growing faster than expected.
0
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty.

Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs. That's one great method that's unavailable to firewall engineers.

So how does one find the remote IP address? The quick answer is a qualified, "You can't."

But there are some great ideas for sleuthing this out, and it mostly has to do with the subnet mask.

For example, on many WAN links, a subnet mask of /30 (255.255.255.252) is used. If we look at it closely, that means there are only two possible hosts using that mask.

For example, if I had a subnet of 192.168.0.0 using a mask of 255.255.255.252, .0 would be the network itself. It follows that .3 would represent the broadcast address. That would leave .1 and .2 as possible hosts on that subnet.

Two possibilities alone! And that's one of the big reasons why these subnets are commonly used on links -- they don't waste precious IP address space, right?

So if you do have a /30 on your link, you already know the IP address of the remote interface -- you know it has to be the only other host address on that subnet. So in our example above, if my ASA's interface had .1, then the other side of that link would have to have .2 in order to communicate.

But what if you don't have a /30? What if it's a /29 (255.255.255.248), which is somewhat …
0
Free NetCrunch network monitor licenses!
LVL 4
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

2016 – ONPAGE YEAR IN REVIEW
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
0
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud 100 by CRN®, a brand of The Channel Company. This annual lineup recognizes the most innovative cloud technology suppliers in each of the following five categories: infrastructure, platforms and development, security, storage and software.

To learn more, visit Concerto Cloud Services. You can also find additional resources on their dedicated Vendor Topic Page.
2
For cloud, the “train has left the station” and in the Microsoft ERP & CRM world, that means the next generation of enterprise software from Microsoft is here: Dynamics 365 is Microsoft’s new integrated business solution that unifies CRM and ERP functionality into a common data platform.
0
Use of TCL script on Cisco devices:
 - create file and merge it with running configuration to apply configuration changes
0
Steve Terp was featured in a video created by CRN about how "Channel Is Crucial To Market Disruption". Click on View source to see the video and article
0
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in hardware. And for organizations in the healthcare industry adhering to HIPAA and HITECH Standards, there are a few keys to safeguarding their sensitive data.

Microsoft supports running workloads with Electronic Protected Health Information (EPHI) in Azure, but as discussed in an earlier article, it is important to understand their stance on Business Associate Agreements (BAAs) and the  shared risk model. In this model, the customer bears the burden of configuring the environment, or ensuring their service providers adhere to HIPAA and HITECH Standards.

Therefore, in this article, we discuss four key safeguards an organization can take when deploying workloads into Azure. To this end, the federal government doesn’t clearly outline in black and white what is required for HIPAA and HITECH, as much as require an organization to implement safeguards that are reasonable for their size.  The below keys are some of the safeguards a mid-market healthcare organization would be expected to implement to protect personal data.

Disable access from external networks or encrypt data in transit
0
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
0
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an official cloud strategy. According to RightScale, private cloud adoption has gone from 64% to 77% while hybrid adoption has gone from 58% to 71%.  Security is no longer a top challenge for the cloud – finding and building cloud expertise is. Without standardized certifications, choosing the right cloud provider can feel like a frustrating game of Russian roulette.
 
 With all this growth and shift, it's becoming increasingly important to read the fine print before selecting a cloud company as your trusted advisor.  (Additional details: [u]http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2016-state-cloud-survey[/u]) What happens if your cloud vendor doesn't deliver as expected? What if there is a security breach? Who owns the risk? Consider any solid service-level-agreement (SLA) as not only a warranty from the vendor, but also a pre-nuptial agreement that both parties agree too.
 
After migrating several hundred customers to a new cloud platform, my personal experience is that there are two reasons that organizations typically leave a cloud provider a) missed expectations or b) lack of follow-through. In other words, either two well-meaning parties didn't properly set expectations of …
0
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastrophic, cascading technical failure that apparently started with a “small fire” in Delta’s datacenter.
Multiple news outlets have relayed this story about the fire, so I can’t speak to how Delta has its IT network designed and deployed. But I can say three things for sure.
 
First, our hearts go out to Delta for having to go through the mother of all business disruptions. It’s a tribute to the organization’s leadership, tenacity and resourcefulness that just a few days later, they were back online and operating normally again.
 
Second, if what I’m reading is true, this entire mess may have been avoidable — or at least, easier contained.
Third, I was one of the Delta travellers last week that was inconvenienced by the outage.  It wasn’t fun.
Since our inception in 2011, we’ve been promoting cloud services as a means to decrease an organization’s risk. Much of the current cloud conversation is around cybersecurity and how, in our datacenters, we deploy state-of-the-art security measures by employing world-class security experts who have a command of best practices, the digital threat landscape and compliance …
1
The Ultimate Checklist to Optimize Your Website
LVL 1
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technologies that partners, customers and life-long learners not only get to see, but kick the tires, interact with the technology in labs, and ask questions one-on-one with Cisco’s greatest experts in the field.  I was humbled by how much of Cisco’s latest technology we leverage in our Concerto data centers, that many attendees’ only opportunity to see and use is at Cisco Live.  But why is the type of technology used so important?  Doesn’t every cloud provider use the same equipment?
 
1) Technology is a major differentiator because it can make or break the experience and level of service you receive from your cloud provider.  If the provider’s cloud is sitting on top of white-labelled, low-budget, low-reliability equipment, without massive scale, you’re likely to feel the impact in performance and uptime.  Concerto is a “Powered by Cisco” partner who brings tried and true reference architectures to the cloud.  Using this reference architecture, it doesn’t matter where a problem is, Cisco and our other partners work together to provide us the latest recommendations on how to cloud-enable workloads to perform most optimally.  Technology is the foundation which enables Concerto to offer the amazing 99.99% level of service
0
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protecting Electronic Protected Health Information (EPHI).  Whether you view it as a positive or negative, the Federal Government has left the requirements of IT Security in HIPAA purposely vague.  The overarching guideline is to employ best practices based on the size of your organization.
 
For healthcare organizations looking to leverage Microsoft Azure for healthcare data in the cloud, Microsoft has published implementation guidance for adhering to HIPAA and HITECH on Azure (available here).  The guidance defines items in scope as: cloud services (both web and worker roll), Virtual Machines, Storage, Virtual Networks, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Multi-Factor Authentication, Azure Active Directory, SQL Database and any other features identified on the Azure Trust Center.
 
However, there are some important things to know regarding Microsoft’s HIPAA guidelines for Azure:
 
The Business Associates Agreement: The guidelines include requirements for Microsoft to agree to sign a Business Associates Agreement …
0
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
0
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a
glance.

You may as well want to read official Cisco published ASA 8.3 migration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Please refer to it for all NAT migration explanation

Cisco ASA firewalls support a few types of address translations: most common are the following:

Dynamic NAT translation: It is used for outbound communication only, and the most popular case is when you want your internal LAN to go out to the Internet with a public IP address.

PRE_8.3
ciscoasa (config)# nat (inside) 1 192.168.1.0 255.255.255.0 
ciscoasa (config)# global (outside) 1 interface

Open in new window



As you can see, the "nat" and "global" keywords work together: basically the pix/asa use its outside interface address to let clients go out on the internet by creating a translation rule and hiding their real IP address and managing more connections by creating sockets that remains unique because they are differentiated by the tcp/udp port assigned in each socket.

POST_8.3
ciscoasa (config)# object network internal_LAN
ciscoasa (config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa (config-network-object)#  nat (inside,outside) dynamic interface

Open in new window


Here you see a big architectural difference: now translations are managed with object-like programming; you no more have the nat-global couple: instead ip addressing is referenced by object. The functional result is really the same, but architectural design of NAT and flexibility in changing configuration is quite different.

Static NAT translation
2
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built in functionality to NAT multiple public IPs to a single internal IP – for that you’d need a router (how-to article soon!).  For an ASA to provide inbound redundancy to your servers you’d need to utilize two separate IPs for each server – one to be NAT’d to each public IP block.
The information you’ll need to complete this task:

Primary ISP Subnet / Gateway
Secondary ISP Subnet / Gateway
A Public host to ping (i.e. 4.2.2.1)

The Public host to ping is a device (read: cluster of devices) that we will use to check if our primary ISP is up or down.  For that reason, I advise against using an IP of a single server.  I usually go with one of the well-known public DNS servers – 4.2.2.1, 4.2.2.2, or 4.2.2.3.
For this article, we’ll use the following information:

ISP A
Subnet: 20.20.20.0/24
Gateway: 20.20.20.1
Firewall: 20.20.20.2
ISP B
Subnet: 30.30.30.0/24
Gateway: 30.30.30.1
Firewall: 30.30.30.2
Private LAN
Network: 10.10.10.0/24
Firewall: 10.10.10.1

I’ll assume that you’ve already been successful in getting your ASA up and running, and that your config looks something like this (NOTE: I’m using the 8.2 firmware):

Open in new window

2
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Hi anoyes

Another thing to bear in mind is, the failover is great for outbound traffic, but a 'happy' side effect' of doing this is, if the client has a web server/email server BOTH interfaces can be used to access these internal resources ALL THE TIME (from the outside of those interfaces) regardless of which interface is currents at the lowest routing metric :) providing the port forwarding/static NATs are correct.

Also, any site to site VPNS from remote sited need their VPN configs updating with the new IP to enable the VPN's to fail over.

Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs

Pete
0
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes.

"site-to-site" VPNs
The first are the "site-to-site" VPNs that come with all ASAs.  For the 5505, this is 10 for the base OS and 25 for the Security Plus OS.  5510s are 250, 5520s are 750, etc...  These licenses are not AnyConnect licenses.  They are restricted to IPSec only and client-wise are only compatible with the Cisco VPN Client.  

This Cisco VPN Client is the old platform from the PIX/VPN Concentrator days, so they worked for my migration.  However, a Cisco SE informed me that the Cisco VPN Client platform is EOL'd and when a hotfix/service pack is released that breaks the client, it will not be fixed.

AnyConnect Premium
At this point I started looking into the new AnyConnect platform for my user/client-based VPNs.  AnyConnect comes in two flavors.  One is AnyConnect Premium.  All ASAs comes with 2 licenses of AnyConnect Premium.  These licenses are unrestricted and allow for client-based and client-less VPNs along with some advanced security features like Endpoint Assessments and Remote Host Scans.  The AnyConnect Premium scheme is tiered.  So the licensing starts at the 2 the ASA comes with.  You can then upgrade to 10, 25, 50, 100, 250, etc... until you reach the box max.

AnyConnect Essentials
5
 
LVL 8

Expert Comment

by:amatson78
Comment Utility
@ Tomago, Awesome thanks for the heads up, I did just that and have a 90 day trial license installed onto the ASA and just successfully connected to my lab from my iPhone. Thx again one of the best guides yet. :)
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Nice Article!
You didn't mention the changes to AnyConnect Licencing for Failover though?
Cisco AnyConnect - Essentials / Premium Licences Explained


Pete
0

Cisco

22K

Solutions

40

Articles & Videos

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).