Posted by LTLnetworker on September 16, 2022
Cisco ASDM is capable of managing a single ASA. But the same shortcut can be used to connect to multiple ASAs.
“When you run Cisco ASDM as a local application, it connects to your security appliance from your desktop using SSL. Running Cisco ASDM as an application has these advantages:
- You can invoke ASDM from a desktop shortcut. No browser is required.
- One desktop shortcut allows you to connect to multiple security appliances.” (These are independent sessions, policy sharing is not possible.)
Read the rest of this entry »
Posted in ASA, Cisco | Leave a Comment »
Posted by LTLnetworker on December 18, 2016
Elliptic Curve Cryptography (ECC) is a newer approach to public cryptography. EC algorithms were introduced in NSA Suite B. Cisco uses the broad term Next Generation Encryption (NGE) for Suite B. Why are elliptic curve keys and such certificates important? As the use of elliptic curve keys are more efficient than RSA keys, it is expected that elliptic keys will gain popularity. (However, there are some intentions of replacing Suite B with an even newer CNSA Suite which contains even stronger ECDH and ECDSA algorithms.) EC algorithms are capable of providing the same level of cryptographic strength using shorter key length than RSA keys.
Elliptic curve TLS ciphers and certificates are supported from
- ASA version 9.4(1)
- Windows 7
- Windows 2008 Server
Read the rest of this entry »
Posted in ASA, Cisco | Tagged: certificate, cipher, ECC, elliptic curve, PKI, tls | 3 Comments »
Posted by LTLnetworker on August 16, 2015
We all want a management network or at least a management VLAN. Regarding those who say they have none, actually they do have a VLAN for management, it is probably just shared with ordinary users (i. e. it is not dedicated). But most IT people prefer a dedicated VLAN that is not used for other kind of traffic and preferably not reachable for users.
In this article we use this definition:
a management VLAN or management network is a dedicated segment for network management traffic which can be used for:
- administering your network devices (aka device access: switches, routers, firewalls via telnet, ssh, https etc.)
- collecting monitoring information (syslog, SNMP etc.)
- hosting syslog, monitoring and management servers (Nagios, Tivoli, Cisco Prime etc.)
- AAA traffic (RADIUS or TACACS+ to Cisco ACS/ISE)
Read the rest of this entry »
Posted in ASA, Check Point, Cisco, F5, Fortinet, routing, switch | Tagged: asa, asymmetric routing, BIG-IP, F5, management, OOB | 3 Comments »
Posted by LTLnetworker on October 5, 2014
Switches usually forward unicast frames to the necessary direction only. Selecting the egress port depends on the MAC address table that is populated by MAC learning. The switch has a chance to learn an address and keep it in the table only if frames are sent from that address regularly. Cisco switches’ default aging time is 300 s, a MAC address is dropped from the table if no frames arrive for 5 minutes.
Unknown unicast flood occurs if traffic is sent to a MAC address which was
a) never learned
b) already aged out
from the MAC address table. In this case, the frame is flooded out on all ports belonging to the VLAN just like a broadcast.
Read the rest of this entry »
Posted in Cisco, switch | Tagged: arp, flood | Leave a Comment »
Posted by LTLnetworker on August 31, 2014
Cisco ISE is an identity-based policy server featuring a wide range of functions from RADIUS CLI authentication to workstation posturing. With just a base license it includes a full-featured RADIUS server and it is capable of performing trivial RADIUS tasks which would not require such a sophisticated product themselves. For the functions described in this article Cisco Secure ACS could have been commonly chosen some years earlier. ISE’s policy logic and web interface is quite different.
The following use cases are described:
Posted in AAA, ASA, Cisco, IPsec, ISE, remote access, router IOS, switch | Tagged: 802.1X, attribute, dot1x, ISE | 8 Comments »
Posted by LTLnetworker on April 12, 2014
Adding a load balancer to an existing network is easy. You just open the vendor’s quick start guide, connect some cables to the server segment, maybe some to the core network. Load balancer configuration includes assigning IP addresses, defining virtual servers and adding server pools. Practically you are done, all the rest you need to do is adding some static routes to some servers or tweaking some NAT setting on the load balancer.
Actually, I don’t say this is evil. Such setups can work for long times with moderate risks and operation principles may be well defined and documented. Even if it can cause problems for network redesign or firewall projects and I estimate slightly higher opex as the tricky load balancer topology most be considered at all changes, still, I can accept such a method in some cases.
However, I am a networker and I prefer creating a design that reflects general best practice of networking.
Read the rest of this entry »
Posted in Cisco, load balancer | Tagged: ACE, BIG-IP, F5, load balancer | 2 Comments »
Posted by LTLnetworker on February 3, 2014
I wrote four years ago:
I am very happy with my HE IPv6 tunnel. Szívesen lennék natív IPv6 felhasználó is, de az UPC nem ad információt, hogy milyen IPv6 tervei vannak. )-:
UPC Hungary has shown no progress since then so I still have to use the Hurricane Electric tunnel. There are some changes though. Google, Youtube, Facebook, Cisco and other big portals have switched to IPv6/IPv4 dual stack (at least the public facing services) so the amount of my IPv6 traffic has increased. On the other hand, I am unable to watch some Youtube videos due to a Youtube bug. Read the rest of this entry »
Posted in IPv6 | Tagged: ipv6 | Leave a Comment »
Posted by LTLnetworker on January 17, 2014
Sometimes we have to provide secure remote access for users whose computers we don’t have any influence at all on. These computers don’t have AnyConnect or Cisco VPN client and the users may not have administrator rights so browser-based AnyConnect installation is not an option either. We can set up a WebVPN portal for such users on Cisco ASA with the clientless SSL VPN feature.
Clientless SSL VPN provides a web portal with various services such as intenal websites, CIFS links, Outlook Web Access etc. which are all accessed via the browser. The ASA software provides HTTPS service to the client and proxies the internal server’s material. The SSL core rewriter (or content rewriter) does application proxying therefore not all websites are guaranteed to work properly. For example, as of 9.1(3) the ASA software does not support Microsoft Sharepoint 2013 portal and some tricky content is not displayed. Read the rest of this entry »
Posted in ASA, Cisco, remote access | Tagged: asa, sslvpn | 2 Comments »
Posted by LTLnetworker on January 12, 2014
A distributed firewall system requires a means to keep the firewall rules and other security policies consistent across similar-role firewalls. Traffic may choose alternative paths if multiple telco lines or data centers are used. We have been testing some Juniper SRX’s in this scenario. The Juniper management software you need for such tasks is Security Director that is an add-on application to Junos Space Management Platform.
Read the rest of this entry »
Posted in Juniper, Junos, Junos Space, SRX | Tagged: juniper, junos, junos space, srx | Leave a Comment »
Posted by LTLnetworker on December 4, 2013
This article’s topic really fits in this blog’s genre. It focuses on a case of classic routing protocol behaviour inspection.
I was looking at the subnets in the routing tables when I noticed that a network I picked up was absent in one of the devices. It is a VLAN routed on a pair of core switches (SW1,SW2). The switches advertise the VLANs by EIGRP and all other routers learn it as external EIGRP routes (due to redistribute connected). However, there’s a router R2 connected to SW2 by a L3 link that doesn’t have the network in the routing table.
Let’s see R2’s EIGRP config :
Read the rest of this entry »
Posted in Cisco, router IOS, routing | Tagged: eigrp | Leave a Comment »
Posted by LTLnetworker on February 3, 2013
I was asked to troubleshoot Active Directory DC synchronization network issues. Two DC’s are behind TMG, the third is in an ASA DMZ so the path is :
DC0 — ASA — TMG — DC73
Subnets:
10.0.0.0/24 — ASA — 10.0.203.0/24 — TMG — 10.0.73.0/24
The TMG performs no NAT for these networks so it’s plain routing. TMG has a default gateway set to ASA and ASA has a static route pointing to TMG’s outside address 10.0.203.100 .
Connectivity was completely broken (no ping, AD sync fail). On the ASA we could see half-open TCP connections:
Read the rest of this entry »
Posted in ASA, Cisco | Tagged: arp, asa, routing | Leave a Comment »
Posted by LTLnetworker on January 25, 2011
I can hardly believe my own test results. I’m making performance tests with ASA 5550 (the one with a factory-installed 4GE module) and there is an interface pair where throughput is smaller than on other pairs.
Read the rest of this entry »
Posted in ASA, Cisco | Tagged: asa, iperf, throughput | 2 Comments »
Posted by LTLnetworker on January 23, 2011
I’ve experienced a strange problem on my desk with two switches. I disconnected the uplink to the company network then the two switches lost connectivity with each other. Even if it was December 31th I felt I must find out what was happening.
Read the rest of this entry »
Posted in Cisco, switch | Tagged: mst, pvst+, spanning tree | 1 Comment »
Posted by LTLnetworker on November 9, 2010
LDAP support for authentication and authorization was introduced in IOS 15.1(1)T. In this article we are testing Cisco VPN client connection authenticated against Novell NetWare eDirectory.
Structure of the LDAP directory:
Read the rest of this entry »
Posted in AAA, Cisco, IPsec, remote access, router IOS | Tagged: ezvpn, ldap | Leave a Comment »
Posted by LTLnetworker on May 14, 2010
An IPv6 host’s default router selection is affected both by manual static routes and received router advertisements.
I am very happy with my HE IPv6 tunnel. Szívesen lennék natív IPv6 felhasználó is, de az UPC nem ad információt, hogy milyen IPv6 tervei vannak. )-: I bookmarked Google’s IPv6 site but once it turned inaccessible. What could have happened?
Read the rest of this entry »
Posted in Cisco, IPv6, router IOS | Tagged: default router, host, ipv6, ra | 3 Comments »
LTLnetworker | IT hálózatok, biztonság, Cisco 