|
Veth posted:Our aging Barracuda web filter finally died. We were just going to replace it with a new one, but the company owner decided we needed to buy a Cisco product for reasons. So we bought an ASA-5506-X with FirePower. It was supposedly the lower-end "entry-level" product. Yeah if you don't have a dedicated IT person you bought the wrong thing. To late to maybe return and buy a a Meraki?
|
#
?
May 20, 2016 21:18
|
|
|
|
| # ? Apr 24, 2024 03:04 |
|
|
If TAC can't get it working tell them you want it escalated, severity 2, and make sure you have some time to work with them when they are available or they will disappear again. The people answering tickets you open online initially are terrible. They will send you cut and paste crap, call you after hours, WebEx nothing, etc. If you get to an actual competent person they will take care of you.
|
|
#
?
May 21, 2016 05:23
|
|
|
I agree, after I open a case I always email my sales engineer who bumps my ticket priority for me. It is an easy way to get a better tech without feeling like a jerk.
|
|
#
?
May 21, 2016 05:34
|
|
|
In my experience if you just say something like "hey, we're depending on this to replace our previous firewall and it's not really working right now, which is a significant impact to our operations - could you make this ticket severity 2?" then you should be fine. Policy is mostly that the customer defines the priority, so you shouldn't really get pushback as long as you have reasons that match the definitions of the different severity levels and are yourself responsive when you want a more urgent severity.
|
|
#
?
May 21, 2016 05:39
|
|
|
Veth posted:Nope, although it's probably only 40 actual users at most. Undoubtedly, we're way off the "Best Practices" path, but day-to-day the three of us who share the IT burden manage OK. Cisco stuff is way over our heads, unfortunately. I hope you're getting two paychecks.
|
|
#
?
May 21, 2016 06:17
|
|
|
cheese-cube posted:I hope you're getting two paychecks.
|
|
#
?
May 21, 2016 14:12
|
|
|
adorai posted:Believe it or not, people wear multiple hats at smaller firms. Crosspost but so worth it: Bob Morales in the ticket came in thread posted:Sheep fucked around with this message at 14:21 on May 21, 2016 |
|
#
?
May 21, 2016 14:17
|
|
|
adorai posted:Believe it or not, people wear multiple hats at smaller firms. It depends on what the hats are. Like maybe the guy who does the infrastructure is expected to do desktop support. But if someone is employed as the office manager it's unlikely that they'd be tasked with plumbing. This is before you even get to the damage to efficiency and quality of work by getting someone to do something they are not familiar with and not absorbed in day-to-day.
|
|
#
?
May 21, 2016 14:33
|
|
|
ElCondemn posted:Hire a consultant to come in and configure it. My experience is that firepower itself is pretty lame, but people seem to like it. It wasn't too hard to configure with my 5515-x. It's probably better than the old IPS/IDS modules but it's not the perfect solution I was hoping for. It's still probably the best IPS on the market. Their dedicated, non-ASA boxes have some of the highest throughput of any IPS you can buy. With that being said, as others have mentioned, it's not something that's really designed for a small staff unless one person has prior security engineering experience.
|
|
#
?
May 22, 2016 23:29
|
|
|
Partycat posted:If TAC can't get it working tell them you want it escalated, severity 2, and make sure you have some time to work with them when they are available or they will disappear again. Also, have fun getting assigned a tech in some random-rear end place. We recently opened a TAC case for our ASA and got a tech in Hawaii or something. "Yes, I would be happy to help you with this. Please join my WebEx at 2AM EST and "  Got that reassigned to someone at least in the continental US, thankfully.
|
|
#
?
May 23, 2016 19:25
|
|
|
Tac engineers always call me after five pm asking if it's a good time to talk or harassing me for case closure.
|
|
#
?
May 23, 2016 19:36
|
|
|
TAC is by far the worst support entity I've worked with. Best is definitely Niksun, which as of 2013 was like two guys in Boston who always answered the phone with "Yeah, whatdya want?" Then probably F5.
|
|
#
?
May 23, 2016 19:38
|
|
|
Eletriarnation posted:In my experience if you just say something like "hey, we're depending on this to replace our previous firewall and it's not really working right now, which is a significant impact to our operations - could you make this ticket severity 2?" then you should be fine. Policy is mostly that the customer defines the priority, so you shouldn't really get pushback as long as you have reasons that match the definitions of the different severity levels and are yourself responsive when you want a more urgent severity. After reading all these replies, I think this is the route we're going to take. Severity 2 it is. Unfortunately, returning it for another product would require the owner to admit a mistake, so that's not going to happen anytime soon. We wear a lot of hats here, but this hat is altogether too big for both of us. I appreciate the responses, folks. It's been reassuring.
|
|
#
?
May 23, 2016 19:38
|
|
|
Docjowles posted:Also, have fun getting assigned a tech in some random-rear end place. We recently opened a TAC case for our ASA and got a tech in Hawaii or something. "Yes, I would be happy to help you with this. Please join my WebEx at 2AM EST and " A lot of this depends on when you open the ticket and what the product is. Some products are handled by multiple teams and might have, for example, a bunch of people on different shifts in Bangalore or Costa Rica who handle most of the common issues and kick up uncommonly complex issues or those requiring troubleshooting with development to a smaller team elsewhere. Other products only have one support team on shift at any given time and that team takes all cases during this shift. So for example if you open a case at 10AM EST it might go to the RTP (NC) team, but then 6 hours later it might go to San Jose, then Sydney, then Brussels, then back to RTP. I haven't worked with all of the support models so it's hard to speak in general, but it's probably a good in general to open the case around the shift when you would want to work on it (so don't do it as the last thing before you leave on a long day) assuming that it's not an urgent open it ASAP sort of thing. It also couldn't hurt to mention your contact hours in your initial communication.
|
|
#
?
May 23, 2016 20:14
|
|
|
They will flat out ignore it half the time for mundane cases. They call at 4:56PM then email with the cut and paste about how I'm sure your very busy and don't mean to intrude but etc. Then I immediately email back and say email only, wherein they repeat this the next day. Most of it is surely due to the number of cases they are trying to get through in a day, but it comes off as lovely service. If you fill out the case closure survey and tell them you had an issue, if you do with TAC and not so much software or hardware that doesn't work, they will read it and get back to you. I wrecked on their calabrio tac mook for collecting my logs for two months and doing nothing, and got a reply and a prompt resolution.
|
|
#
?
May 23, 2016 23:15
|
|
|
seriously, just call your sales engineer after you open a ticket. You'll be happy you did.
|
|
#
?
May 24, 2016 03:42
|
|
|
Veth posted:Our aging Barracuda web filter finally died. We were just going to replace it with a new one, but the company owner decided we needed to buy a Cisco product for reasons. So we bought an ASA-5506-X with FirePower. It was supposedly the lower-end "entry-level" product. OpenDNS sounds like a far better fit for your situation, and it's easy as hell to configure.
|
|
#
?
May 24, 2016 05:22
|
|
|
Veth posted:Our aging Barracuda web filter finally died. We were just going to replace it with a new one, but the company owner decided we needed to buy a Cisco product for reasons. So we bought an ASA-5506-X with FirePower. It was supposedly the lower-end "entry-level" product. I had a 5506-X for some testing, URL filtering was fairly simple to setup. You have to cable those smaller ASA's in a specific way to make it work. Its point 4 on this link: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html#pgfId-139622 Then you define a service policy (in ASDM goto configuration at the top, firewall on the left, then service policy on the left) that passes matching traffic (you probably want source: your inside network, destination: any, protocol http/https) over to the firepower inspection module. To pass the traffic over, its one of the tickboxes on the right hand side in the 2nd or third tabs across the top of the service policy editing screen. Then in the firepower management bit, you define your URL filtering rules such as what sites you want to block or allow. Make sure you've activated your control licence that came in a little cardboard sleeve in the box with the ASA. Also depending on what you want to do, you need the URL filtering licence if you haven't purchased that already, there's some blurb on it here: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html An important bit to note from that which might be why it looks like it setup right but not working: quote:Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation data to filter network traffic. Ahdinko fucked around with this message at 14:15 on May 27, 2016 |
|
#
?
May 27, 2016 14:09
|
|
|
I have a Cisco 2600 router with one FastEthernet port and a 2900 switch. Is it possible to hook up this router to my home router if it only has the one ethernet port? I want to connect through the Cisco router, have it NAT to my home router and out to the internet. Is there some way I can rig it up with the switch to get this to work?
|
|
#
?
May 27, 2016 22:36
|
|
|
You can do a router on a stick type configuration with virtual interfaces and VLANs.
|
|
#
?
May 27, 2016 22:51
|
|
|
Sure with vlan subinterfaces and trunking on your switch. Sounds like your switch is an XL which only support VLANs through 1000. Hopefully your 2600 is actual fast-e and not just Ethernet or youll be forcing duplex to make it work.
|
|
#
?
May 27, 2016 22:54
|
|
|
Thanks Ants posted:You can do a router on a stick type configuration with virtual interfaces and VLANs. This is exactly what I was thinking but Im having a hard time figuring out where to put the trunk and access ports. So I assume the connection from the switch to the 2600 will have to be a trunk? then the connection from the switch to the home router will have to be a trunk as well? And a connection from switch to my pc will have to be an access port?
|
|
#
?
May 27, 2016 23:03
|
|
|
Yeah, you're going to trunk between the 2600 and the switch with two VLANs - one for inside NAT and one for outside NAT. From the switch to the home router and your PC would both be access ports on the inside VLAN, and the switch to your modem or whatever will be access on the outside VLAN. You'll also probably want to move your home router's link to one of the LAN ports unless you want it to be doing NAT inside of the 2600's NAT. Eletriarnation fucked around with this message at 23:15 on May 27, 2016 |
|
#
?
May 27, 2016 23:08
|
|
|
Also fair warning but the 2600 unless it's an XM model is going to be the bottleneck in your network.
|
|
#
?
May 31, 2016 02:29
|
|
|
Powercrazy posted:Also fair warning but the 2600 unless it's an XM model is going to be the bottleneck in your network. Even a 26**-XM is still going to be slow as dogshit
|
|
#
?
May 31, 2016 20:10
|
|
|
CrazyLittle posted:Even a 26**-XM is still going to be slow as dogshit That's true. Long gone are the days of 2mb down 768kbs up residential internet. At least in most of the country.
|
|
#
?
Jun 1, 2016 03:57
|
|
|
If you decide you want to get a Cisco router as a home gateway, a used 2821 isn't a terrible choice to avoid paying a lot or getting limited performance. Its stock fans are pretty loud for home use but they're standard 80mm case fans, so you can buy some quieter ones meant for PCs to keep it cool enough without being distracting. It's still pretty big but you can just stick it in an out of the way place or stack things on it. I had no problems running a 12/2 DSL connection with a much slower 1710 + WIC-1ADSL combo a few years back, but based on the CPU utilization I don't think it could have handled NAT for more than 15-20Mbps. Not sure about the 2600s but they're probably comparably limited, while the 2821 in comparison has two gigabit ports and seemed like it wasn't trying very hard with the 60/6 connection I had at the time. There are newer, smaller models with gigabit ports like 891FW or the 1900s but I don't think you could find them for as low prices as a 2800. Eletriarnation fucked around with this message at 14:39 on Jun 1, 2016 |
|
#
?
Jun 1, 2016 14:33
|
|
|
Just get a 3825, they're $50 with 1gb ram, has two gig ports (but can't route at gig). poo poo you can dump a full table in to it if you want.
|
|
#
?
Jun 1, 2016 15:07
|
|
|
Eletriarnation posted:If you decide you want to get a Cisco router as a home gateway, a used 2821 isn't a terrible choice to avoid paying a lot or getting limited performance. Its stock fans are pretty loud for home use but they're standard 80mm case fans, so you can buy some quieter ones meant for PCs to keep it cool enough without being distracting. It's still pretty big but you can just stick it in an out of the way place or stack things on it. Just get an old 877. I've got one and it works perfectly on my 19/2 DSL connection. If you want gig on LAN then stick a better router behind it.
|
|
#
?
Jun 1, 2016 15:46
|
|
|
Yeah, this was several years back and I'm not on DSL now anyway. I probably chose the 1710 because it was the cheapest option at the time, I remember the WIC costing a lot more than the router. I hadn't seen this before looking just now but apparently there's a chart with comparisons for various models. Since this is all with 64b packets real-world rates are going to be better, and I can see they're listing my old 1710 at 3.58Mbps when it was definitely able to handle downloading at 12 with around 60% load. In comparison the chart says 12.8Mbps for 870s , the 2821 has 87Mbps and the 3825 is up at 187Mbps. If we give them the same ratio for real-world performance that the 1710 had, you might not be able to get gigabit through the 3825 but it couldn't be too far off with large packets. Of course, if you're really concerned about throughput there are much more practical options anyway but for me it was kind of a fun side project. Eletriarnation fucked around with this message at 16:35 on Jun 1, 2016 |
|
#
?
Jun 1, 2016 16:04
|
|
|
Powercrazy posted:That's true. Long gone are the days of 2mb down 768kbs up residential internet. At least in most of the country. gently caress. I am not most of the country. 
|
|
#
?
Jun 1, 2016 16:26
|
|
|
Hell, I'm already at the point where I actively discourage any use of a 28xx series router outside of academic studying. They're just not worth it for production use in any place that matters... Unless you're stuck in one of those places where your only option is mlppp T1 bundles.
|
|
#
?
Jun 1, 2016 17:49
|
|
|
we've got quite a few 2800 series ISRs in production, they work great. I think 10mbps is the fastest link we have on one, but it's still good.
|
|
#
?
Jun 1, 2016 21:25
|
|
|
Where does a 1941 sit in the scale of worth-keeping to junk?
|
|
#
?
Jun 1, 2016 21:48
|
|
|
Well, whether it's worth keeping depends at least as much on whether you have a use in mind for it as on what it is. The chart I just linked says it can do 153Mbps of 64b packets so you'd probably get several hundred Mbps of throughput with real world traffic. That makes it a perfectly good home or small office router. You might already have something that's easier to use or more powerful though - I mean, my 2821 would be fast enough to handle the connection at my current location but it's been replaced by a different system that I prefer for non-performance reasons so it's gathering dust. The 1941 is definitely superior in that case; because they still go for a couple hundred bucks on eBay instead of being barely worth the shipping cost, you could always sell it if you don't need it. It does look like the 1941s have hardware VPN which has to be added in as a separate module on the 2800s if I recall correctly, but it's again kind of a situation where you might not have any use for it. Eletriarnation fucked around with this message at 02:35 on Jun 2, 2016 |
|
#
?
Jun 1, 2016 22:20
|
|
|
Thanks Ants posted:Where does a 1941 sit in the scale of worth-keeping to junk? 1941 is solid for lots of environments, as well as home use.
|
|
#
?
Jun 2, 2016 21:18
|
|
|
I will always hate the 1941 for its annoying 2U yet not full width size.
|
|
#
?
Jun 3, 2016 19:00
|
|
|
chestnut santabag posted:I will always hate the 1941 for its annoying 2U yet not full width size. They come with rack extender things so if you need to rack mount it, it's not a problem at all.
|
|
#
?
Jun 3, 2016 19:16
|
|
|
I am more annoyed that the entire 800 range bar the 890 isn't rack mountable, and putting them on a rack shelf makes them slightly over 1U.
|
|
#
?
Jun 4, 2016 13:15
|
|
|
|
| # ? Apr 24, 2024 03:04 |
|
|
Yeah that's so you don't but them for that purpose I suppose. The old timey curved AM radio look of the 1941 is hilarious. It's better than the 1600 series though.
|
|
#
?
Jun 4, 2016 17:39
|
|