Karsten Iwen

Member Since: Dec 21, 2006

User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

English
Karsten Iwen commented on Hairpinning in Firewalling 14 hours ago

Hairpinning is when traffic enters the ASA on a given interface and also has to leave the ASA on...

Karsten Iwen commented on Cisco SNS 3415 System Status LED is Amber and blinking in AAA, Identity and NAC 18 hours ago

Based on the documentation it's a critical state: http://www.cisco.com/c/en/us/td/docs/security/ise...

Karsten Iwen commented on Cisco ASA 5550 | Multiple External IP's | DMZ Setup in Firewalling 18 hours ago

And as the next step talk to your boss to replace the 5550 against a shiny new 5555-X with...

Karsten Iwen commented on Cisco ASA 5550 | Multiple External IP's | DMZ Setup in Firewalling 18 hours ago

Yes, you configure an access-list where you allow the needed traffic and apply this ACL to the...

Karsten Iwen commented on Cisco ASA 5550 | Multiple External IP's | DMZ Setup in Firewalling 19 hours ago

You have to configure your NAT inside of an object: object network blackboard host 192.168.210.15 ...

Karsten Iwen commented on Monitoring ASA from Zabbix behind the site-to-site in VPN 21 hours ago

Try "debug snmp", perhaps something meaningful shows up ...

Karsten Iwen commented on Anyconnect License in HA Pair confusion in Firewalling 1 day ago

Hi Marvin, I've never tried it myself, but I've heard that there can't be multiple VPN-Only...

Karsten Iwen commented on Monitoring ASA from Zabbix behind the site-to-site in VPN 1 day ago

I just see that you have configured your "snmp-server" with the "trap" keyword. That means that...

Karsten Iwen commented on Monitoring ASA from Zabbix behind the site-to-site in VPN 1 day ago

you need to configure the following command on the ASA: management-access inside

Karsten Iwen commented on ssh config in ASA in Firewalling 1 day ago

Here for the general SSH-config: Guide to better SSH-Security And then you allow only access from...

Karsten Iwen commented on IKEv1 IPsecOverNatT in VPN 3 days ago

Meraki MX doesn't support IPsec over TCP and NAT-T is very likely already enabled. I don't think...

Karsten Iwen commented on DHCP Server on ASA in Firewalling 3 days ago

How are your WLAN interfaces and your pools configured?

Karsten Iwen commented on Managing SSH Public keys on IOS devices in AAA, Identity and NAC 3 days ago

I'm not aware of an "elegant" way to scale that. A customer handles it in a way that all keys are...

Karsten Iwen commented on Upgrade the Firepower module in Firewalling 1 week ago

I would completely reinstall the module with the desired new version. After that you can reapply...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 week ago

You configure a VLAN and assign that VLAN to one of the switchports. With that you have an...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 week ago

There is no general config for that. It depends on many factors of your environment like routing,...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 week ago

Yes, that will work. You can also use one of the LAN-ports of a 881 as an additional WAN-port if...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 week ago

891/881 will work, I assume that the RV also can do that, but I'm not sure for that device.

Karsten Iwen commented on ASA 5505 two internet gateways in Firewalling 1 week ago

You configure the primary IP block on your interface. For the second block you need to configure...

Karsten Iwen commented on Two WAN Connectivity use in one router (Urgent) in WAN, Routing and Switching 1 week ago

Ideally one that has a minimum of three Ethernet-ports and is fast enough for your needs. Without...

Karsten Iwen commented on Cisco ASA Create ACL for DNS in Firewalling 1 week ago

object-group network DNS-SERVER host 208.67.222.222 host 208.67.220.220!object-group service DNS-...

Karsten Iwen commented on ASA dymaic crypto role intiator / responder problem in VPN 1 week ago

Yes, the ASA is only the responder if configured with a dynamic crypto map.

Karsten Iwen commented on ASA dymaic crypto role intiator / responder problem in VPN 1 week ago

Do you have a static IP on the Branch/Meraki side? Then you can configure it as a static crypto map...

Karsten Iwen commented on NAT policy to L2L tunnel in VPN 1 week ago

You NAT-rule doesn't match the traffic from the internal device: object network PC host 192.168.1.1...

Karsten Iwen commented on Cisco ASA 5516-X Licenses in VPN 1 week ago

6.2.1? Great news!!! That was the last showstopper for some of my deployments ... (And thanks for...

Karsten Iwen commented on ASA anyconnect issue with public pool in VPN 1 week ago

Well, I have no idea why a network is build in a way like this ... But to make it work, the ISP (or...

Karsten Iwen commented on Distribute Traffic among the dual WAN Connections in Firewalling 1 week ago

You can use PBR (Policy-Based Routing) to achieve that: http://www.cisco.com/c/en/us/td/docs/...

Karsten Iwen commented on Cisco ASA logs view in Other Security Subjects 1 week ago

The ASDM is not the right tool for long-time analysis of events. You have to setup a syslog server...

Karsten Iwen commented on Cisco ASA 5516-X Licenses in VPN 1 week ago

You don't need any extra license. But you can't do any remote-access VPNs with your box as that is...

Karsten Iwen commented on ASA anyconnect issue with public pool in VPN 1 week ago

Things are easier when the ASA has the public IP on it's outside interface. But it still should...

Karsten Iwen commented on PIX vs ASA in Firewalling 1 week ago

PIX 6.3 and an ASA are very different systems. You should do a clean installation of the ASA. But...

Karsten Iwen commented on Is in ISE Virtualization is possible with 2 different box? in AAA, Identity and NAC 1 week ago

Not sure what you mean, but you can build a two-node deployment with two physical, one physical and...

Karsten Iwen commented on Anyconnect migration from 5520 to new 5545-X in Firewalling 1 week ago

You got it from your CA when you ordered your certificate. If you don't find it, login to your CA-...

Karsten Iwen commented on Anyconnect migration from 5520 to new 5545-X in Firewalling 1 week ago

1) You need the certificate with private key. 2) Yes, these names can be different. 3) You...

Karsten Iwen commented on ASA 5505 - ACL Flow on Same Security VLANs in Firewalling 1 week ago

No, it is initiated then from the Users-VLAN. When the first packet enters the ASA it does that on...

Karsten Iwen commented on ASA 5505 - ACL Flow on Same Security VLANs in Firewalling 1 week ago

Yes, because that is the direction of the initial connection. But you could also apply this ACL (...

Karsten Iwen commented on Cisco IOS SSL VPN cannot access LAN in Remote Access 1 week ago

Well, for NAT it depends ... If you are using Split-tunnel, then there won't be any traffic flowing...

Karsten Iwen commented on Erased dir on new ASA 5585 in Firewalling 1 week ago

So, I accidentally erased the entire directory on a new Cisco ASA 5585-A-SSP-60 (don't ask). Why...

Karsten Iwen commented on ASA 5505 - ACL Flow on Same Security VLANs in Firewalling 1 week ago

The filter has to be applied in the direction of the initiating packet. That is either: outgoing on...

Karsten Iwen commented on ASDM Strange Values under Standard ACL in Firewalling 1 week ago

There are ASDM-versions that are not displaying everything correctly. I lately observed that with 7...

Karsten Iwen commented on Cisco IOS SSL VPN cannot access LAN in Remote Access 1 week ago

Does your network route the VPN-Pool to this router? Is your Split-Tunnel (if used) configured to...

Karsten Iwen commented on cam overflow attack mitigation in Other Security Subjects 1 week ago

Just think about how/if your endpoints (MAC addresses) move in your network and change the location...

Karsten Iwen commented on Crypto key? in Other Security Subjects 1 week ago

You don't need it for SSH. But you probably have enabled the "ip http secure-server". With that, a...

Karsten Iwen commented on Crypto key? in Other Security Subjects 1 week ago

With "crypto key generate ..." you tell the router to generate a public/private keypair. You...

Karsten Iwen commented on crypto key bit length ? in LAN, Switching and Routing 1 week ago

Many publications recommend a minimum of 2048 bit. (one good ressource is https://www.keylength.com...

Karsten Iwen commented on ssh weak mac algorithms enabled cisco in LAN, Switching and Routing 1 week ago

You can configure the devices to use specific ciphers: https://supportforums.cisco.com/document/...

Karsten Iwen commented on DTLS 1.0 vs TLS 1.0 vulnerability in VPN 1 week ago

DTLS 1.0 is comparable to TLS1.1, not TLS1.0. Although DTLS 1.2 is standardized for quite some time...

Karsten Iwen commented on Security Plus License Needed in Other Security Subjects 2 weeks ago

You can buy one from your preferred Cisco reseller. The order code is L-ASA5505-SEC-PL. But I think...

Karsten Iwen commented on Configuration example for Anyconnect to IOS router using IPSec IKE, not SSL in VPN 2 weeks ago

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvp...

Karsten Iwen commented on SSH access to ASA for vulnerability scan. in Firewalling 2 weeks ago

For a vulnerability scan my answer would also be "no". But perhaps they plan a config-audit (sand...

Bio

I started my work in the IT at about 1995/1996 as a freelance Trainer and consultant with a focus on networking, Novell NetWare and Microsoft Backoffice. In 2001 I started teaching Cisco classes at Global Knowledge in Germany. Since 2003 I'm again Freelancer with a strong focus on security technologies and infrastructure.
And yes, you can hire me for your security-projects and security-workshops. ;-)

User Badges:
  • Badge.
    Purple
    4500 points or more
  • Badge.
    Community Spotlight Award

    Mobile App Contributor August 2012

  • Badge.
    Cisco Designated VIP

    2017 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2016 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2015 Security

  • Badge.
    Cisco Designated VIP

    2014 Security

  • Badge.
    Cisco Designated VIP

    2013 Security

Karsten Iwen's Stats

Points7615
Discussion started 18
Answers marked as Correct 995
Endorsed 39
Content Rated 98