Karsten Iwen

Member Since: Dec 21, 2006

User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

English
Karsten Iwen commented on DNS issue open port 53 udp in Firewalling 3 days ago

Can you show the resulting config? And you activated your DNS-view on the dialer. Typically these...

Karsten Iwen commented on DNS issue open port 53 udp in Firewalling 4 days ago

(syntax corrected) Have you removed the ACL-lines that allowed the DNS-traffic in? That also needs...

Karsten Iwen commented on DNS issue open port 53 udp in Firewalling 4 days ago

ip inspect name xx tcp The router will only inspect traffic that flows *through* the router, but...

Karsten Iwen commented on No IPv6 Commands Cisco 2821XM in IPv6 Integration and Transition 4 days ago

If I remember right, you need at least the "Advanced IP Services" Image for IPv6 on the ISR G1.

Karsten Iwen commented on Do I need to lockdown a router only used for VPN? in VPN 4 days ago

Locking it down with an ACL is the least complex and most easiest way. I would always do that as a...

Karsten Iwen commented on How do I know whether IronPort is using SHA-1 or SHA-2 certificates? in Email Security 4 days ago

You can check a certificate with sslyze: https://github.com/nabla-c0d3/sslyze sslyze --regular --...

Karsten Iwen commented on DNS issue open port 53 udp in Firewalling 5 days ago

ok, here are some changes to the firewall-setup: ip inspect name xx tcp router-trafficip inspect...

Karsten Iwen commented on active/standby asa with dual ISP connections in Firewalling 5 days ago

you are right with your assumptions. You don't need to have standby IPs, although the detection of...

Karsten Iwen commented on Cisco ASA: communication between VLAN's in LAN, Switching and Routing 5 days ago

The default VLAN seems to be a transfer network between the ASA and the L3-switch and you shouldn't...

Karsten Iwen commented on DNS issue open port 53 udp in Firewalling 5 days ago

Your mentioned ACL-line is for allowing return-traffic for queries that are initiated from inside. ...

Karsten Iwen commented on ISE - Firepower pxGrid licensing in AAA, Identity and NAC 5 days ago

You need the same amount of PLUS licenses as you have base licenses. This is from the ordering-...

Karsten Iwen commented on active/standby asa with dual ISP connections in Firewalling 5 days ago

The private addresses are only examples here. Typically you configure your two outside interfaces...

Karsten Iwen commented on 5505 to 5506-X Upgrade License Question in Firewalling 5 days ago

If you have AnyConnect 4 Licenses for your ASA 5505, then you can use these also with your next ASA...

Karsten Iwen commented on Do I need to lockdown a router only used for VPN? in VPN 5 days ago

As always, it depends ... When assuming that your crypto-ACL has a form of "permit ip BRANCH-NETWOK...

Karsten Iwen commented on DHCP Security/Risk Concerns in Other Security Subjects 6 days ago

If you keep up-to-date with vulnerabilities for your routers and switches and have a good device...

Karsten Iwen commented on DHCP Security/Risk Concerns in Other Security Subjects 6 days ago

Every running service is a security risk. But somewhere it has to run and in Branch-offices it is...

Karsten Iwen commented on SSL VPN Certificate on ASA 5550 firewall in VPN 6 days ago

Yes, it has to be a failure. That is how certificates work and the Pen-testers will be aware of...

Karsten Iwen commented on VPN License Issue in VPN 6 days ago

You don't need any additional licenses for Site-to-Site VPNs. That's included in the base feature...

Karsten Iwen commented on SSL VPN Certificate on ASA 5550 firewall in VPN 6 days ago

It works as designed. As you only have the FQDN in the certificate, that's all that is trusted by...

Karsten Iwen commented on ASA 5506 Basic - only 254 leases in Firewalling 1 week ago

That is a limitation of the ASA: The size of the address pool is limited to 256 addresses per pool...

Karsten Iwen commented on Reload Cisco Router in WAN, Routing and Switching 4 weeks ago

Have you tried updating the IOS? These are often software-problems.

Karsten Iwen commented on Clients can't reach a DHCP server behind ASA in Firewalling 4 weeks ago

Assuming the interface-names are what they are saying, you have to do it the other way round:...

Karsten Iwen commented on Clients can't reach a DHCP server behind ASA in Firewalling 4 weeks ago

You have to configure DHCP-relay on the firewall. For that you specify on which interface and IP...

Karsten Iwen commented on asa 5506 inside port configuration in Firewalling 4 weeks ago

It's very likely that this problem is just an ASDM-problem. Configure it from the CLI and it will...

Karsten Iwen commented on range command not working in Cisco ASA network object in Firewalling 1 month ago

ASA Version 8.3(1) was the worst that I ever used. I would first upgrade to a more recent version...

Karsten Iwen commented on Time-based user access in AAA, Identity and NAC 1 month ago

I would Implement this restriction on the AAA-server Rethink my security-strategy if that is really...

Karsten Iwen commented on Restoring running-config from a Cisco ASA 5510 to a Cisco ASA 5512 in Firewalling 1 month ago

Although the NAT-config is migrated automatically, I always configure it completely new from...

Karsten Iwen commented on Hairpinning in Firewalling 1 month ago

Hairpinning is when traffic enters the ASA on a given interface and also has to leave the ASA on...

Karsten Iwen commented on Cisco SNS 3415 System Status LED is Amber and blinking in AAA, Identity and NAC 1 month ago

Based on the documentation it's a critical state: http://www.cisco.com/c/en/us/td/docs/security/ise...

Karsten Iwen commented on Cisco ASA 5550 | Multiple External IP's | DMZ Setup in Firewalling 1 month ago

And as the next step talk to your boss to replace the 5550 against a shiny new 5555-X with...

Karsten Iwen commented on Cisco ASA 5550 | Multiple External IP's | DMZ Setup in Firewalling 1 month ago

Yes, you configure an access-list where you allow the needed traffic and apply this ACL to the...

Karsten Iwen commented on Cisco ASA 5550 | Multiple External IP's | DMZ Setup in Firewalling 1 month ago

You have to configure your NAT inside of an object: object network blackboard host 192.168.210.15 ...

Karsten Iwen commented on Monitoring ASA from Zabbix behind the site-to-site in VPN 1 month ago

Try "debug snmp", perhaps something meaningful shows up ...

Karsten Iwen commented on Anyconnect License in HA Pair confusion in Firewalling 1 month ago

Hi Marvin, I've never tried it myself, but I've heard that there can't be multiple VPN-Only...

Karsten Iwen commented on Monitoring ASA from Zabbix behind the site-to-site in VPN 1 month ago

I just see that you have configured your "snmp-server" with the "trap" keyword. That means that...

Karsten Iwen commented on Monitoring ASA from Zabbix behind the site-to-site in VPN 1 month ago

you need to configure the following command on the ASA: management-access inside

Karsten Iwen commented on ssh config in ASA in Firewalling 1 month ago

Here for the general SSH-config: Guide to better SSH-Security And then you allow only access from...

Karsten Iwen commented on IKEv1 IPsecOverNatT in VPN 1 month ago

Meraki MX doesn't support IPsec over TCP and NAT-T is very likely already enabled. I don't think...

Karsten Iwen commented on DHCP Server on ASA in Firewalling 1 month ago

How are your WLAN interfaces and your pools configured?

Karsten Iwen commented on Managing SSH Public keys on IOS devices in AAA, Identity and NAC 1 month ago

I'm not aware of an "elegant" way to scale that. A customer handles it in a way that all keys are...

Karsten Iwen commented on Upgrade the Firepower module in Firewalling 1 month ago

I would completely reinstall the module with the desired new version. After that you can reapply...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 month ago

You configure a VLAN and assign that VLAN to one of the switchports. With that you have an...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 month ago

There is no general config for that. It depends on many factors of your environment like routing,...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 month ago

Yes, that will work. You can also use one of the LAN-ports of a 881 as an additional WAN-port if...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 month ago

891/881 will work, I assume that the RV also can do that, but I'm not sure for that device.

Karsten Iwen commented on ASA 5505 two internet gateways in Firewalling 1 month ago

You configure the primary IP block on your interface. For the second block you need to configure...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 month ago

Ideally one that has a minimum of three Ethernet-ports and is fast enough for your needs. Without...

Karsten Iwen commented on Cisco ASA Create ACL for DNS in Firewalling 1 month ago

object-group network DNS-SERVER host 208.67.222.222 host 208.67.220.220!object-group service DNS-...

Karsten Iwen commented on ASA dymaic crypto role intiator / responder problem in VPN 1 month ago

Yes, the ASA is only the responder if configured with a dynamic crypto map.

Karsten Iwen commented on ASA dymaic crypto role intiator / responder problem in VPN 1 month ago

Do you have a static IP on the Branch/Meraki side? Then you can configure it as a static crypto map...

Bio

I started my work in the IT at about 1995/1996 as a freelance Trainer and consultant with a focus on networking, Novell NetWare and Microsoft Backoffice. In 2001 I started teaching Cisco classes at Global Knowledge in Germany. Since 2003 I'm again Freelancer with a strong focus on security technologies and infrastructure.
And yes, you can hire me for your security-projects and security-workshops. ;-)

User Badges:
  • Badge.
    Purple
    4500 points or more
  • Badge.
    Community Spotlight Award

    Mobile App Contributor August 2012

  • Badge.
    Cisco Designated VIP

    2017 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2016 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2015 Security

  • Badge.
    Cisco Designated VIP

    2014 Security

  • Badge.
    Cisco Designated VIP

    2013 Security

Karsten Iwen's Stats

Discussion started
Answers marked as Correct
Endorsed
Content Rated