Karsten Iwen

Member Since: Dec 21, 2006

English
Karsten Iwen commented on Create a firewall on a 2821 router in Firewalling 16 hours ago

Qouting is not that easy on the forum (at least I also haven't figured out an easy way). I normally...

Karsten Iwen commented on Create a firewall on a 2821 router in Firewalling 18 hours ago

You still have an ACL 103 on the inside interface which is not in your config. Remove that or...

Karsten Iwen commented on Which new cisco switches are the replacement for the old Cat-3650 in LAN, Switching and Routing 1 day ago

The Catalyst 3650 is still up to date: http://www.cisco.com/c/en/us/products/switches/catalyst-3650...

Karsten Iwen commented on Create a firewall on a 2821 router in Firewalling 1 day ago

Your ACL 103 controls what you are allowed to send out. This is only ICMP but no DNS, no web-...

Karsten Iwen commented on EIGRP named Unicast in LAN, Switching and Routing 4 days ago

You don't really say what you are referring to exactly. So just a guess: You see the keyword "...

Karsten Iwen commented on Port Forwarding based on FQDN - Cisco ASA 5512 in Firewalling 5 days ago

There are a couple of choices here: As already mentioned, give both of them a unique public IP...

Karsten Iwen commented on Create a firewall on a 2821 router in Firewalling 5 days ago

The easiest way to configure a firewall on your router is to use CBAC: ip inspect name FW tcp...

Karsten Iwen commented on ASA5505 Flash limitations and AnyConnect in VPN 1 week ago

Although not officially supported, I upgraded a couple of 5505s with old 512MB and 1GB CF cards....

Karsten Iwen commented on ASA 5506 dont have switch ports in Firewalling 1 week ago

Rule of Thumb: If the data-sheet does not mention that there are switchports, then the device has...

Karsten Iwen commented on Security-association lifetime in VPN 2 weeks ago

The first one changes the default for all your VPNs, the second only for the peer that is...

Karsten Iwen commented on ASA 5506-X in Firewalling 2 weeks ago

The easiest is with the following command from config-mode: asa (config)# configure factory-default

Karsten Iwen commented on I don't understand why this design ? in LAN, Switching and Routing 2 weeks ago

If the firewalls only have routed ports, there would be no way to establish an any-to-any...

Karsten Iwen commented on ASA 5505, possible to add an access point to 1 of the ports as a trunk? in Firewalling 2 weeks ago

That can be done. But your ASA needs to have the Security Plus License to build a trunk.

Karsten Iwen commented on IPSEC in Transport mode : What am I missing? in WAN, Routing and Switching 2 weeks ago

> We see two IP headers, we see outer IP header's IP payload is encrypted . What is the second...

Karsten Iwen commented on IPSEC in Transport mode : What am I missing? in WAN, Routing and Switching 2 weeks ago

Not, always. When using VTIs (that are tunnel-interfaces with profiles), it also has to be tunnel-...

Karsten Iwen commented on ASA 5525x Portchannel 2 or 4 Ports in Firewalling 2 weeks ago

Yes, I'm talking about 5525 (or 5508/5516). It's a tradeoff between functionality and throughput....

Karsten Iwen commented on ASA 5525x Portchannel 2 or 4 Ports in Firewalling 2 weeks ago

I don't think that it's useful to bundle more then two ports in a single channel. This is what I...

Karsten Iwen commented on IPSEC in Transport mode : What am I missing? in WAN, Routing and Switching 2 weeks ago

You can't use transport mode in this situation. You need two IP-headers here: One for the end-tp-...

Karsten Iwen commented on *URGENT* SSH default port change, and access from WAN in WAN, Routing and Switching 2 weeks ago

You don't need UDP for that. Are you sure that there is no deny above these lines? For a test move...

Karsten Iwen commented on *URGENT* SSH default port change, and access from WAN in WAN, Routing and Switching 2 weeks ago

Have you allowed TCP/2222 on the outside ACL?

Karsten Iwen commented on NAT on ASA in WAN, Routing and Switching 2 weeks ago

For sure you can. This is a typical configuration where the Firewall is connected to the core-...

Karsten Iwen commented on Site to site VPN in VPN 2 weeks ago

What does packet-tracer tell you for that traffic?

Karsten Iwen commented on Site to site VPN in VPN 2 weeks ago

Yes, both ASAs need to know that this traffic should not be translated.

Karsten Iwen commented on Site to site VPN in VPN 2 weeks ago

Well, deactivate proxy-arp for that identity NAT. As the warning mentions, it's typically not...

Karsten Iwen commented on Is it possible to perform NAT on reserved IPs in WAN, Routing and Switching 3 weeks ago

Should be possible but never be done. By definition these APIPA-addresses are not for communication...

Karsten Iwen commented on Is it possible to perform NAT on reserved IPs in WAN, Routing and Switching 3 weeks ago

What do you mean with reserved addresses? In general, a NAT implementation should not care what...

Karsten Iwen commented on Can we use PBR in ASA version 8.2 in Firewalling 3 weeks ago

You legacy ASA doesn't support PBR. You need an -X model for PBR-support.

Karsten Iwen commented on NAT 9.4(1) in Firewalling 3 weeks ago

Unless you haven't configured something really strange, you need a matching ACL-line because you...

Karsten Iwen commented on NAT 9.4(1) in Firewalling 3 weeks ago

At least, it's far too complex. This is how it can work: object network SERVER host 192.168.3.10...

Karsten Iwen commented on Downgrade ASA 9.2(4) to ASA 8.4(7) in Firewalling 3 weeks ago

It depends on your config if it's that easy as the syntax changes for some commands from version to...

Karsten Iwen commented on ASA 5512X licensing in Firewalling 3 weeks ago

A 5512-X with Base license can't be part of a HA-system. SecurityPlus is needed on both to build HA...

Karsten Iwen commented on ASA in Firewalling 3 weeks ago

In addition to the already mentioned NAT-misconfiguration, it could also be a missing ICMP-...

Karsten Iwen commented on Anyconnect to Meraki MX in VPN 4 weeks ago

No, that doesn't work. You can use the native clients of different OS or third-party-clients that...

Karsten Iwen commented on catalyst switches SSH Weak MAC Algorithms in Other Security Subjects 4 weeks ago

You need IOS 15.5(2) for that. With the older releases it was not yet possible: https://...

Karsten Iwen commented on ASA in Firewalling 4 weeks ago

By default all new rules are appended to the end of the ACL. But you can provide a line-number if...

Karsten Iwen commented on Site-to-Site VPN without IPSEC on ASA? in VPN 1 month ago

Is it just about showing that one transmission is clear text and the other is encrypted? Then you...

Karsten Iwen commented on Question regarding ASA Upgrade Path 8.0(5) to 9.1.7(9) in Firewalling 1 month ago

The automatic migration is not producing optimal code when the NAT config is slightly more complex...

Karsten Iwen commented on Is it possible to use dual hub dual cloud DMVPN in Phase 1? in VPN 1 month ago

The Hubs don't need four interfaces in that case, One per ISP is enough. You end up with the...

Karsten Iwen commented on Is it possible to use dual hub dual cloud DMVPN in Phase 1? in VPN 1 month ago

Well, you could run it with four tunnels to have maximum redundancy. But that also adds much...

Karsten Iwen commented on Is it possible to use dual hub dual cloud DMVPN in Phase 1? in VPN 1 month ago

In this scenario you use two tunnel-interfaces on your spoke. Each tunnel is p2p and is pointing to...

Karsten Iwen commented on ACL with time-range not working in LAN, Switching and Routing 1 month ago

You specified the ports 80 and 443 as source-ports, but you have to specify them as destination...

Karsten Iwen commented on Issues with site-to-site VPN between ASA and Router in LAN, Switching and Routing 1 month ago

On the router you have ip in the crypto ACL while the ASA has top and ICMP. Both should use ip to...

Karsten Iwen commented on AnyConnect automatic logon in VPN 1 month ago

Not sure about Windows, but perhaps you could build a workflow with OpenConnect: http://www....

Karsten Iwen commented on 2811 IOS availability in LAN, Switching and Routing 1 month ago

For most of the Cisco devices you need a valid service contract to download software. And if you...

Karsten Iwen commented on CPT 6.1.1 ASA5505 NAT from a subnet different from the connected interface in WAN, Routing and Switching 1 month ago

For sure! If you can, then summarize all your internal networks to have less routes in your config.

Karsten Iwen commented on Tacacs on Alternate Port in WAN, Routing and Switching 1 month ago

You are using the legacy config. Try the new config-style: core1(config)#tacacs server ISE1core1(...

Karsten Iwen commented on Upgrade ASA5510 to latest available software in Firewalling 1 month ago

The information how to upgrade is always outlined in the release notes. You have to upgrade first...

Karsten Iwen commented on CPT 6.1.1 ASA5505 NAT from a subnet different from the connected interface in WAN, Routing and Switching 1 month ago

The NAT should work. If the outside laptop sees the internal IP I would think that it is related to...

Karsten Iwen commented on Question regarding ASA Upgrade Path 8.0(5) to 9.1.7(9) in Firewalling 1 month ago

The first statement is/was kind of true (although the example is mostly wrong) when you add a "...

Karsten Iwen commented on ISE 2.0 cisco press book in AAA, Identity and NAC 1 month ago

You got a chance to review the third book ? No, and with ISE 2.1 available it's probably not...

Bio

I started my work in the IT at about 1995/1996 as a freelance Trainer and consultant with a focus on networking, Novell NetWare and Microsoft Backoffice. In 2001 I started teaching Cisco classes at Global Knowledge in Germany. Since 2003 I'm again Freelancer with a strong focus on security technologies and infrastructure.
And yes, you can hire me for your security-projects and security-workshops. ;-)








  • Cisco Designated VIP

    2016 Firewalling, VPN





  • Cisco Designated VIP

    2015 Security





  • Cisco Designated VIP

    2014 Security





  • Cisco Designated VIP

    2013 Security





  • Community Spotlight Award

    Mobile App Contributor August 2012









Karsten Iwen's Stats

Points6726
Discussion started 18
Answers marked as Correct 892
Endorsed 33
Content Rated 96