Karsten Iwen

Member Since: Dec 21, 2006

English
Karsten Iwen commented on IPSec/GRE and NAT(PAT) is it possible? in VPN 4 hours ago

Yes it is possible. Make sure that both VPN-endpoints have NAT-Traversal (NAT-T) enabled.

Karsten Iwen commented on Network Encryption in LAN, Switching and Routing 5 hours ago

If you want to achieve line-rate performance, it should be implemented in the switches. For the VPN...

Karsten Iwen commented on how do I set ssh access on a Cisco 350XG in LAN, Switching and Routing 8 hours ago

Here are some more info on activating SSH in IOS: Guide to better SSH-Security

Karsten Iwen commented on Full mesh VPN with ASA in Firewalling 1 day ago

Yes you can, but it's the wrong tool for this task. On the ASA, all VPNs have to be configured...

Karsten Iwen commented on v9.4 static policy-nat for VPN in Firewalling 1 day ago

An example could be that you want to exempt all traffic from NAT that uses private addresses. There...

Karsten Iwen commented on v9.4 static policy-nat for VPN in Firewalling 1 day ago

If each Local/Global pair has it's own translation, then you need one NAT-entry for each element. ...

Karsten Iwen commented on Do Cisco ASA 5555-x supports GRE tunnel ? in VPN 1 day ago

As already mentioned, there is no GRE-tunnel. But the newest ASA software has IPsec-tunnel-...

Karsten Iwen commented on CLustering in ASA5508-x in Firewalling 1 day ago

It's documented in the config-guide. As you can see, there is failover (without any extra license...

Karsten Iwen commented on Cisco ASA 5510 IP redirect in Firewalling 3 days ago

Do you still have the inside global configured? global (inside) 1 interface

Karsten Iwen commented on Cisco ASA 5510 IP redirect in Firewalling 3 days ago

what is the result of packet tracer: packet-tracer input inside tcp IP-OF-AN-INTERNAL-PC 1234...

Karsten Iwen commented on Cisco ASA 5510 IP redirect in Firewalling 3 days ago

The error is there because the netmask doesn't match the PUBLICIP. It should work with static (...

Karsten Iwen commented on Cisco ASA 5510 IP redirect in Firewalling 3 days ago

> being an IP surely there would be no dns lookup? no, you now have to access the server by...

Karsten Iwen commented on asdm ASA 5505 in Firewalling 3 days ago

You can't just use "any" port. You have to use a port that is in the right VLAN and has IP-...

Karsten Iwen commented on Cisco ASA 5510 IP redirect in Firewalling 4 days ago

Has the server his own public IP? Then you can use DNS-doctoring instead of using NAT: static (...

Karsten Iwen commented on Recommendation needed for more professional home network equipment in Getting Started with LANs 4 days ago

Have you looked at the Small-Business devices from Cisco? They are typically also a good choice...

Karsten Iwen commented on 2960x ssh denied in LAN, Switching and Routing 6 days ago

You don't need a domain name if you configure SSH correctly: https://supportforums.cisco.com/...

Karsten Iwen commented on Some qestion in details in WAN, Routing and Switching 1 week ago

I expect to  answers their own view And this is not how community forums actually work. But of...

Karsten Iwen commented on IPsec SA Freezing after a couple of weeks in VPN 1 week ago

I had a similar problem shortly (after running without any problem for a longer time). Upgrading to...

Karsten Iwen commented on Cannot Ping from inside to outside - Config Attached in Firewalling 1 week ago

Not related to your problem ... access-list 101 extended permit icmp any any source-quench Don't...

Karsten Iwen commented on Connecting Cisco ASA to 2 internet lines - best practice in Firewalling 1 week ago

You don't need the upstream tracking here. That is done automatically by the ISP-routers. The...

Karsten Iwen commented on ASA5515 9.4 port forward help in Firewalling 1 week ago

If you first add the new line and then remove the old one, no user should notice it. But...

Karsten Iwen commented on ASA5515 9.4 port forward help in Firewalling 1 week ago

this one is wrong: nat (any,outside) source dynamic NETWORK_OBJ_10.20.0.0_16 interface replace it...

Karsten Iwen commented on Preserving local database on ASA Firewall in AAA, Identity and NAC 1 week ago

It can't work as they are only shown as "*****" ...

Karsten Iwen commented on ASA certificate management in Firewalling 1 week ago

Just look if the trustpoint is applied somewhere in the config. It's likely that the trustpoint is...

Karsten Iwen commented on ASA5515 9.4 port forward help in Firewalling 1 week ago

Do you have a dynamic NAT statement in section 1? These statements should go to section 3. Can you...

Karsten Iwen commented on ASA5515 9.4 port forward help in Firewalling 1 week ago

And what is the (complete) result of the packet-tracer?

Karsten Iwen commented on ASA5515 9.4 port forward help in Firewalling 1 week ago

Your config looks good. But the packet-tracer-simutlation is wrong. You have to use: packet-tracer...

Karsten Iwen commented on Network Encryption in LAN, Switching and Routing 1 week ago

Look for devices that support MACsec (802.1AE). This is a standard, but be aware that there are...

Karsten Iwen commented on multiple default route in ASA in Firewalling 1 week ago

I'm not sure what you really want to achieve, but it's very likely that PBR is the solution.

Karsten Iwen commented on Preserving local database on ASA Firewall in AAA, Identity and NAC 1 week ago

You only have to copy all the "username" commands to the new ASA. That's all.

Karsten Iwen commented on Connecting Cisco ASA to 2 internet lines - best practice in Firewalling 1 week ago

Mini-switch with stacking? Don't think so ... ;-)

Karsten Iwen commented on Connecting Cisco ASA to 2 internet lines - best practice in Firewalling 1 week ago

You can also configure it the following way: two mini-switches connected to each orher Connect...

Karsten Iwen commented on ASA 5505 or 5506-x with Security Plus License? in Firewalling 1 week ago

OpenDNS knows much about malicious systems on the internet and when a user asks for something...

Karsten Iwen commented on Cisco ASA alternate Part query for HA in Firewalling 1 week ago

The question is: What exactly is faulty? The ASA or the IPS module? If it's the ASA, then the...

Karsten Iwen commented on Flexible Authentication Order, Priority Cisco ISE in AAA, Identity and NAC 1 week ago

Start with reading the following document. It will give you some good examples: Flexible...

Karsten Iwen commented on SSH ( secure shelling ) in LAN, Switching and Routing 1 week ago

Here is a guide for configuring SSH: Guide to better SSH-Security

Karsten Iwen commented on ASA 5505 or 5506-x with Security Plus License? in Firewalling 2 weeks ago

Well, Cisco has no free offering for home-use ... (*) With the free software, these typically don't...

Karsten Iwen commented on ASA 5505 or 5506-x with Security Plus License? in Firewalling 2 weeks ago

I think it's not only Cisco. For up-to-date protection, you need permanent feedback from the vendor...

Karsten Iwen commented on algorithm-type scrypt? in LAN, Switching and Routing 2 weeks ago

By default, passwords are hashed with MD5 which is not very resistant against brute force attacks...

Karsten Iwen commented on ASA 5505 or 5506-x with Security Plus License? in Firewalling 2 weeks ago

The switchport limitations were removed with the newest release, but if you want to use your...

Karsten Iwen commented on SSH Connectivity to 809 in LAN, Switching and Routing 2 weeks ago

ok, but that's not NAT. That's pure IP routing ... ;-)

Karsten Iwen commented on SSH Connectivity to 809 in LAN, Switching and Routing 2 weeks ago

Ok, then it's obviously not a wrong NAT-config on the 809. Try the following: (I assume that the...

Karsten Iwen commented on Recommendation needed for more professional home network equipment in Getting Started with LANs 2 weeks ago

For this situation, I would prefer the Meraki MR33 over the 1830 because of the ease of use. And...

Karsten Iwen commented on SSH Connectivity to 809 in LAN, Switching and Routing 2 weeks ago

Here are some info on the general SSH-setup: Guide to better SSH-Security Your problem could be...

Karsten Iwen commented on Cisco Router Throuput in WAN, Routing and Switching 2 weeks ago

As suggested by Joseph, the ISR 4k would also be my choice. But perhaps you will also need the HSEC...

Karsten Iwen commented on Show hit count for each line in an Object-Group? in WAN, Routing and Switching 2 weeks ago

You are talking about ACLs on an IOS router? I'm not aware of any command that shows these...

Karsten Iwen commented on Anyconnect plus subscripción or perpetual in VPN 2 weeks ago

I don't know hoy many users I have that can connect, local users + ad users... That's a problem...

Karsten Iwen commented on Anyconnect plus subscripción or perpetual in VPN 2 weeks ago

You count the users, not the system. The licensing is (at least at the moment) based on a trust-...

Karsten Iwen commented on Anyconnect plus subscripción or perpetual in VPN 2 weeks ago

Licensing is independent of the way users are authenticated. It doesn't matter if you use RADIUS,...

Karsten Iwen commented on Question about the crypto pki command in LAN, Switching and Routing 2 weeks ago

As far as I remember, that's a behavior of older (very old?) IOS versions. But if it's a new device...

Bio

I started my work in the IT at about 1995/1996 as a freelance Trainer and consultant with a focus on networking, Novell NetWare and Microsoft Backoffice. In 2001 I started teaching Cisco classes at Global Knowledge in Germany. Since 2003 I'm again Freelancer with a strong focus on security technologies and infrastructure.
And yes, you can hire me for your security-projects and security-workshops. ;-)








  • Cisco Designated VIP

    2017 Firewalling, VPN





  • Cisco Designated VIP

    2016 Firewalling, VPN





  • Cisco Designated VIP

    2015 Security





  • Cisco Designated VIP

    2014 Security





  • Cisco Designated VIP

    2013 Security





  • Community Spotlight Award

    Mobile App Contributor August 2012









Karsten Iwen's Stats

Points7358
Discussion started 18
Answers marked as Correct 970
Endorsed 37
Content Rated 97