falz posted:I must be backwards since NAT seems so strange on ASA and more logical on IOS. I share this opinion. Making complicated NATs is a pain in the rear end on ASAs.
|
|
# ¿ Sep 9, 2011 16:55 |
|
|
# ¿ Apr 25, 2024 01:59 |
Eletriarnation posted:In IOS, that would be TACACS+ accounting is your friend! Though yes, XR does it far far better.
|
|
# ¿ Sep 9, 2011 18:38 |
I have a rather weird situation that I'm trying to work through. On one side, I have my ASAs trunked to my internet side switches which then patch into an ISP router. We have two different IP blocks from this ISP, and the ASAs have an interface in each block on their respective subinterface, as shown below. code:
1) I have no more physical ports free on my ASAs 2) ASAs don't do secondary IPs 3) I have to use VLANs because the ASA will not let you do nameifs on subinterfaces unless they also have a VLAN assigned So I have my two VLANs delivered successfully to my switch, and though I know that I could just bridge the two VLANs together with a patch cable going between access ports on the two different VLANs, such a solution is not elegant and will trigger my inner . I know you can use bridge groups and BVIs to do various bridging magic with interfaces, however I want to bridge two VLANs together on the switch itself. Is this possible? I posed this question to a few Cisco TAC guys and got in response. Nuclearmonkee fucked around with this message at 21:41 on Oct 18, 2011 |
|
# ¿ Oct 18, 2011 21:38 |
Powercrazy posted:Why do you have two separate public networks from presumably two providers, but on only a single physical interface? Two networks, same provider. They ran out of IPs and bought a second block. EDIT: And by "ran out" I mean the guy at this location doesn't know wtf he is doing. I am basically trying to get this working quickly for a specific purpose, not fix their entire (poorly configured) network. Nuclearmonkee fucked around with this message at 22:03 on Oct 18, 2011 |
|
# ¿ Oct 18, 2011 21:59 |
jwh posted:I think the physical cable is your best bet. Disable spanning-tree or else you'll see bpdu mismatch errors (I think). Yeah I bpdufiltered the port to prevent any angry errors from popping up and told the customer they need to pay for the network to be redone (at least the internet side mess) and not to bitch if there are problems because of the bandaids we slapped on. You don't get 99.999 when your topology looks like it was designed by a drunken chimpanzee. Nuclearmonkee fucked around with this message at 21:00 on Oct 19, 2011 |
|
# ¿ Oct 19, 2011 20:56 |
Zuhzuhzombie!! posted:Can the ISP simply route you the other block of IPs, let you advertise/allocate it as you want, and then just forward everything out of your network like normal? It is a complicated combination of people unwilling to purchase hardware that they should be using, along with the annoying limitations involving complex site to site VPN topologies using ASAs. I suppose I could write it all out tomorrow if you want the long version
|
|
# ¿ Oct 19, 2011 22:56 |
GOOCHY posted:This is the question I'd ask too. Why don't they just route the 2nd additional public subnet down to your ASA device instead of, presumably, having it as a secondary "connected" network on the interface on the ISP end. That's how I'm envisioning they're doing it, anyway. At another remote office, there is an ASA with two uplinks. On the other side, there is this messy ASA with the two blocks on one ISP. They want to have two active site to site tunnels going over each of these remote site uplinks over to their home ASA, which specific VPN traffic designated for each uplink. The ASA doesn't support single site to site VPNs with an active/active configuration like this (or at least not that I'm aware of, nor were the TAC guys aware), so the easiest way was to just add a secondary interface on the far ASA to function as an endpoint for this second VPN connection so that I could build rules to send appropriate traffic over each tunnel. The customer refused to buy hardware which does this kind of thing easily, and I was simply told to "make it work with what they have right now", which is exactly what they got.
|
|
# ¿ Oct 20, 2011 17:27 |
Zuhzuhzombie!! posted:In other news. That is everywhere. You are networking so if "the internet is slow" then it's obviously your fault. You are personally responsible for every fiber line severed by a tractor, weather which knocks out cable service, and even the rogue squirrel who decides to snack on some of your dark fiber. Nuclearmonkee fucked around with this message at 17:32 on Oct 20, 2011 |
|
# ¿ Oct 20, 2011 17:29 |
Just had to share this little screenshot. No, the password recovery mechanism was not disabled. Seen all kinds of eBay switches with configs still intact, but this is my first government one. Always remember to delete your configs before you eBay your old stuff! When I worked in government, albeit local government, I remember extremely strong prohibitions against letting a network device that could have potentially sensitive data in it ever creep out of the organization. Password recovery was also disabled on everything (and verified as such via Solarwinds). I can only assume the Department of Defense is supposed to be more stringent. vv
|
|
# ¿ Feb 27, 2013 23:03 |
CrazyLittle posted:Even better if they used Cisco 7 passwords (reversible) They did. Domain name from the config: ip domain-name soccent.centcom.smil.mil Special Operations Central Command.
|
|
# ¿ Feb 28, 2013 00:15 |
psydude posted:AFAIK, devices carrying classified or sensitive but unclassified information are supposed to be destroyed rather than sold as surplus. To give you an idea of how anal they are about technology - you can't even take a CD that's been in a classified computer and stick it in a machine of a lower classification or and unclassified network. Unless they faked the config it appears to come from Special Operations Central Command and is configured with IPs in the 22.0.0.0/8 and 11.0.0.0/8 ranges. Pretty sure those guys are supposed to be super anal. Now it gets to have a rather boring existence serving truck engineers.
|
|
# ¿ Feb 28, 2013 00:24 |
psydude posted:You'd be surprised at the kind of people who find their way into working on classified networks. Well I know idiots exist everywhere, particularly in large organizations. I'm just amazed that they would allow such a horrible config oversight and not have some kind of compliance system in place to make sure it never ever happens. It's not like budget would be a concern for these guys and I would expect the senior engineers to be at least semi-competent. Even in my experience with derpy local pd/sheriff departments we had to follow the lowest FIPS 140-2 standard.
|
|
# ¿ Feb 28, 2013 00:30 |
Bob Morales posted:HP switch question here: there appears to be two software versions, 15 and 16 for the same switches? Is one a more 'reliable' one and one has more 'features' or something like that? I seem to remember Adtran having something weird like that with AOS releases. 16 is the new release train which has more stuff and is the one they are actively maintaining. I have a few HP 5412 zl switches out there and they are still happily running 15.10.0018m and will probably continue to do so until they are replaced or a reason to change them to 16 arises. So I guess it's kind of up to you but I'm just sticking with the old boring 15 stuff since I don't need any 16 features and despise buggy switch firmware.
|
|
# ¿ Sep 22, 2016 18:11 |
adorai posted:I know no one pays list. Generally, I expect 50% from Cisco. I'm not new to UCS, we use their C series and have for a few generations. We just aren't at the scale where the centralized management of their blade system is going to be a selling point. I am looking at blades to minimize rack utilization right now, as I am considering a move from our own datacenters to leased racks. If I tie that in with a refresh I would do otherwise, it probably makes sense to go with blades, but maybe not UCS. I love it even if it's just a UCS mini sitting out somewhere. If you have a comprehensive and sane network architecture/plan after you put these guys in you generally don't have to touch them very much beyond doing the occasional software update or part replacement when some doodad or another goes bad, which in my experience thus far with 14 chassis happens very rarely. They go in easy, don't take much space and are extremely easy to manage once you are used to them. I suppose you can do an HP blade server or w/e instead if you prefer them though. We pay around 25k for a starter mini with the 6324s and 2 server blades w/ 256gb memory. If you wanted to go a bit lower budget you can stick a pair of 10gig 3850s or 4500x's on top of them as your core with enough ports to connect storage, copper switches etc along with the UCSes. I stamp these out for manufacturing facilities and they come in at about 80k for the core switches, UCS chassis and storage. Nuclearmonkee fucked around with this message at 19:28 on Jan 16, 2017 |
|
# ¿ Jan 16, 2017 19:21 |
psydude posted:Happy Thursday! Your Cisco equipment may die after 18 months in production: Ughhh this is literally every ASA I have. Also I just pulled a pair out of the box from CDW and put them in and... code:
|
|
# ¿ Feb 7, 2017 00:02 |
n0tqu1tesane posted:Toss your serial numbers in the order spreadsheet, your particular hardware may not have the faulty part, even if the VID matches. It is. I RMA'd it and sent in my spreadsheet with 52 entries
|
|
# ¿ Feb 7, 2017 02:41 |
Ahdinko posted:How are you guys getting the correct PIDs for your ASA's for this spreadsheet? I know for a fact at least one of them was ordered as a ASA5516-FPWR-BUN, but when i do a "show inventory" it just says the PID is "ASA5516". Same with all my other ones, they all just say "ASA5508" but they must be at least ASA5508-K9 because they all do AES. I just matched the hardware and the serial in show inventory, cried a little at the size of the list, and hit submit. Aren't all of the different PIDs just mostly license bundles with the base hardware being the same? Unless you are dealing with like the babby ones which can have wireless or whatever inside. Depending on how you are doing licensing it may be a goddamn nightmare for you to migrate them individually from all of the appliances with Cisco though. Worst part for me will be getting firepower back in order afterwards. It takes fuckin forever to go from the 5.4 whatever base they come with to 6.2 and I will need to do it 52 times.
|
|
# ¿ Feb 8, 2017 18:13 |
Ahdinko posted:Yeah I think they pretty much are just different licensing bundles. Just figuring out the easiest way to find out what each one has rather than going into every single one and doing a sh act and then logging into each firepower and checking the licence out there. All those firepower licences, sec plus licences, additional anyconnect licences... ughhhhh. Yeah it takes about an hour just to get the drat thing ready to begin and then I have to put them all back in the management center and put them in their groups and associate the correct policies and
|
|
# ¿ Feb 8, 2017 20:56 |
I would like to run the unified image but they still don't have freaking anyconnect support on there yet. Supposedly coming SOON.
|
|
# ¿ Feb 9, 2017 18:51 |
Colonial Air Force posted:Hi, total Cisco newb. What is this? Why won't it just configure easily so I can move on? It's punishing you for using the ASDM. If you are total newb use the thing to generate the commands and then connect to it via ssh/console and put them in so you can see what it is actually doing. ASDM is kind of poo poo for a lot of things. I do use it for live logging and manipulating access lists but for most things besides that it likes to do bullshit like what you are seeing and break your stuff. Nuclearmonkee fucked around with this message at 18:51 on Feb 23, 2017 |
|
# ¿ Feb 23, 2017 18:46 |
Colonial Air Force posted:Ok. If you are not doing out of band management w/ the management int you can just use the normal LAN interface for management traffic. If you are using the firepower module it will use the management interface and can be on the same subnet but you have to actually configure that from within the sfr module. Just put in: code:
|
|
# ¿ Feb 23, 2017 19:10 |
GreenNight posted:I'm still waiting on my stack of routers from Cisco that has that bad timing part. I haven't gotten anything but an automated response as of yet though for our pile, though we did have one fail in the manner described and got it RMAd the normal way I'll laugh if they are half replaced by the time they actually send me poo poo.
|
|
# ¿ Mar 31, 2017 16:13 |
code:
|
|
# ¿ Apr 11, 2017 22:29 |
GreenNight posted:So uh, what's the hottest a Cisco switch can be before failure? Getting some alerts from Solarwinds that a switch hit 120F in one of our manufacturing facilities. A mere 120F? That baby'll be fine. This stupid loving thing sits inside an unventilated metal box in direct sun near a substation out at a plant and has operated like this for several years. Peaks around 160Fish in August usually. Most access switches will survive way beyond their recommended env ranges and if it's an industrial facility they should have a spare on site anyways. I try to get the plants to install IDFs that are slightly less hostile than this or spring for an IE but really they'll be fine even if they don't most of the time. I don't even have it alert me at all for temp anymore because what's the point. Had a 3650 that somebody stuck inside a wall behind some insulation a couple years back because the guys redoing the room didn't care or know what that thing stuck to the old wall was. It sat in the 140s pretty much always. Plant never bothered to relocate it until someone needed to add some drops in the area.
|
|
# ¿ Jul 11, 2019 23:53 |
Kazinsal posted:A coworker of mine has a password so long it breaks the TACACS+ process on IOS-XE 16.6.1. Instead of sending "authentication continue" with his password, it sends another "authentication start". Only the one switch in our environment still on 16.6 hits this. lmao out of curiosity how many characters does it take to break it?
|
|
# ¿ Aug 2, 2019 23:23 |
Thanks Ants posted:Lots of vendors will throw up warnings about incompatible transceivers. I just buy ones from FS.com flashed with a legit part number so the switch doesn't complain and so it doesn't show up in tech support diagnostic data giving people an easy way out of your ticket, and then keep a couple of legit ones on hand for troubleshooting if required. Also "service unsupported-transceiver" and "no errdisable detect cause gbic-invalid" are your friend I've never actually needed to use my Cisco optics but we also have one of each set just in case TAC tries to wriggle out of providing support. Nuclearmonkee fucked around with this message at 17:45 on Aug 12, 2019 |
|
# ¿ Aug 12, 2019 17:43 |
MF_James posted:Can a cisco device syslog to the same IP twice but on different ports? code:
|
|
# ¿ Aug 13, 2019 19:30 |
howdoesishotweb posted:Not sure if this is the place for this question, since I’m dealing with Cisco software. It's likely doing split tunneling, so your speed test is just testing your local uplink at home, while the problem is with a lovely connection somewhere between you and the remote machine you are connecting to via VPN, or they are applying some kind of QoS to prevent VPN users from eating too much bandwidth. Your IT guy is giving you the lazy answer to make you go away, doesn't know how it works, or doesn't want to bother the guy who actually knows how it works. Nuclearmonkee fucked around with this message at 20:45 on Sep 2, 2019 |
|
# ¿ Sep 2, 2019 20:43 |
MF_James posted:explicitly marking the port made no change. lmao was about to recommend "reboot or rip it all out and put it back to restart the process" ASAs are creaky old bullshit and that works more often than it should. I have to do this with my SNMPv3 configs from time to time when they just stop working and the monitoring server stops being able to poll them. It's a regular enough task that it's now a script.
|
|
# ¿ Sep 17, 2019 16:44 |
MF_James posted:I feel dumb for not trying that before but really wtf come on. To be fair, it could also have been a firmware bug that's hopefully resolved in an update. That would be next on my list if you are 100% confident the config is correct. On other ASA related awesomeness, I see that the default 5506x configuration still doesn't do management properly over VPN because lmao https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307/?reffering_site=dumpcr This has been outstanding for literal years. Had to throw one of these out for a one-off remote instrumentation site but forgot about that one until the local guy actually installed it and none of the management would work over the L2L tunnel. Have to delete the BVI and use individual interfaces because "management-access interface " cannot bind to a BVI, which is how they come out of the box. Add the fiasco that is getting firepower work properly and stay working on top of that and I really am quite annoyed that I have to deal with this crap when there are other NGFWs for comparable cost that are much less of a nightmare to manage. Nuclearmonkee fucked around with this message at 20:36 on Sep 17, 2019 |
|
# ¿ Sep 17, 2019 20:28 |
Thanks Ants posted:Are the Firepower 1000-series poo poo as well, or is it too early to tell I have one they gave me to mess with. It's still Firepower but at least there's no ASA in there. You can accomplish almost the same thing with an ASA running the FTD image, though you can't run anything after 6.2 on 5506-x and 08-x, which is still the recommended version anyways so lol. New coat of paint on the turd basically. If you have the budget to buy this, buy something better instead imo. If you are trapped in Cisco land and have a need for a lot of small 5506-x ish sized appliances they are at least better than what came before. Nuclearmonkee fucked around with this message at 20:57 on Sep 17, 2019 |
|
# ¿ Sep 17, 2019 20:55 |
ragzilla posted:Is this some new code that's not FTD? Because FTD is Firepower as hypervisor and an ASA dataplane, so the ASA piece is still in there but all hidden behind the veneer of FMC/FDM. No it's still FTD. You just don't have to touch the ASA bits directly
|
|
# ¿ Sep 17, 2019 21:54 |
Tetramin posted:I am losing management access to ASAs all across my network, getting connection refused and pcaps show the ASA resetting the connection. Running iOS 9.6.3.1. I have a case with TAC since the ASA at my office is currently affected and I can serial into this one, but we aren’t getting anywhere. He told me removing the SSH config and re adding would fix but it didn’t. Rebooting the device resolves until it happens again. Did you try loving with firmware? I’m on 9.8 train but since it’s ASA I’d try 9.6.4 or something on your local one just to see if it makes a difference
|
|
# ¿ Sep 18, 2019 15:26 |
Tetramin posted:This might not be the correct thread, but we were getting some Orion alerts for high interface usage on one of our ASAs this morning. According to Netflow this is all HOPOPT traffic, which I've been doing a bit of reading on and it seems like it's possible this could be some kind of attack? Or could this be some sort of error with the Netflow gathering? That's an IP null attack which will show as HOPOPT. https://www.corero.com/resources/glossary.html#IP%20NULL
|
|
# ¿ Oct 1, 2019 23:47 |
falz posted:Doesn't it show the protocols and ports? IP null attack is a flood with null for the protocol in the IP header, which is what HOPOPT legitimately uses.
|
|
# ¿ Oct 2, 2019 00:28 |
BaseballPCHiker posted:Heres hopefully a quick question. code:
|
|
# ¿ Oct 8, 2019 18:33 |
I've had sfr fail-open let things through when the module was completely broken and non-functional. I thought that was the whole point of the command. Does it just behave strangely if you have it in fail-open with the module installed but still awaiting setup? Never tried that honestly but it seems silly for it to work that way.
|
|
# ¿ Oct 18, 2019 19:29 |
falz posted:I guess I could add a hundred lines to the config to ignore things. Seems weird to me that there's not just a flag like 'log IPS stuff' to turn off, and it's on by default. This is the answer quote:Anyway, ASAs are lame. Yep
|
|
# ¿ Dec 2, 2019 14:52 |
falz posted:I ended up doing this, which got 99% of the cruft, but leaves important stuff like commands that users type. Annoyingly though it shows the command class (enable_15) instead of the username. oh well. It does that whenever you use enable. Set priv level 15 for admin users and auto enable on login so they don’t need to enable (which switches executed commands from their user to being run as “enable_15”) If priv level is already set then running “login” instead of enable will let you elevate to 15. Setting ASA to work right with full AAA/logging and fail back to local is a giant pain in the rear end
|
|
# ¿ Dec 2, 2019 15:22 |
|
|
# ¿ Apr 25, 2024 01:59 |
Bob Morales posted:We have a Fortinet, but I guess this is a generic networking/failover question: SD-WAN! Thanks Ants posted:You should be able to set this up as an SD-WAN target using an HTTP probe to the domain of the cloud application. Just have it check every minute or so, only look for packet loss, set the failure requirement high enough so you aren't flapping the selected path constantly - I assume five minutes of this app being down before the other link is used is a totally acceptable scenario to be in. Yeah you build policies for different applications along with policies for the links themselves. If the SD-WAN detects your HTTP probe fails on circuit A, it can just send that traffic over to circuit B. It's path selection on a per application basis so if application B still worked fine over the crippled link it could keep going that way. The interruption due to things flipping around would only affect the impacted application(s). SD-WAN is real good and if you have any critical poo poo in the or some big horrible WAN with tons of sites you really want it. It makes the functionality you used to get with monstrous weighted track objects linked to IPSLA and PBR something that is manageable by normal humans.
|
|
# ¿ Aug 26, 2020 23:28 |