Karsten Iwen

Member Since: Dec 21, 2006

User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

English
Karsten Iwen commented on 4321 Router in LAN, Switching and Routing 7 hours ago

If you are running a CBAC-firewall on the router, you have to migrate to ZBF. And if you use Cloud...

Karsten Iwen commented on Site-toSite VPN in VPN 2 days ago

This is the relevant part: #pkts encaps: 1657, #pkts encrypt: 1657, #pkts digest: 1657#pkts decaps...

Karsten Iwen commented on two ISP links active Active Configuration in Firewalling 1 week ago

You really should upgrade your ASA (at least if you care about security ...) Yes, you have multiple...

Karsten Iwen commented on VPN on a stick or Hairpinning question - two different services on port 443 in LAN, Switching and Routing 1 week ago

You don't have to configure the IP as secondary on the interface. Just configure your NAT-rules (1:...

Karsten Iwen commented on VPN on a stick or Hairpinning question - two different services on port 443 in LAN, Switching and Routing 1 week ago

If you have two public IPs, then terminate the VPN on the interface-IP of the router and use the...

Karsten Iwen commented on ASA 5505 base licences in Firewalling 1 week ago

You can connect multiple internal VLANs through the ASA to the internet. But there are some things...

Karsten Iwen commented on tunnel-group mapping in Firewalling 2 weeks ago

The easiest way is to configure a group-URL inside the tunnel group. The user enters this tunnel-...

Karsten Iwen commented on Dual DMVPN with ASA in WAN, Routing and Switching 3 weeks ago

As always: It depends ... Do you want to protect the routers? Then install the firewalls in front...

Karsten Iwen commented on Certificate authority supported by Cisco ASA 5505 and VPN delay. in VPN 3 weeks ago

Any CA that you want to use. There are no preconfigured you have to configure all settings based on...

Karsten Iwen commented on Active / standby firewalls with dual ISP design in Firewalling 3 weeks ago

Using two independent switches is perfectly fine. You don't need a switch stack. With independent...

Karsten Iwen commented on aaa authorization ssh-certificate in AAA, Identity and NAC 3 weeks ago

Using certificate-based authentication/authorization with SSH is still quite uncommon, typically...

Karsten Iwen commented on DNS and DHCP on ASA in Firewalling 3 weeks ago

The ASA can be the DHCP-server in your network, but not a DNS-server or forwarder. But that's not...

Karsten Iwen commented on What would be better choose: C2S or S2S VPN? in VPN 3 weeks ago

You better use S2S VPNs when you need to control/manage the whole network where the remote users...

Karsten Iwen commented on Cisco ISE 2.1 increase memory utilization day by day in AAA, Identity and NAC 4 weeks ago

Is there a particular reason that you are not running the latest patch?

Karsten Iwen commented on How an attacker spoof the source ip address in Firewalling 4 weeks ago

Without any special countermeasures, a routing device will not even look at the source address and...

Karsten Iwen commented on How an attacker spoof the source ip address in Firewalling 4 weeks ago

"Not routable" means that a private IP as the destination address will never find the way to the...

Karsten Iwen commented on Can you change the timeout settings on the ports on the Cisco ASA 5585? in Firewalling 1 month ago

default is 1h for TCP traffic, you can't configure that per access-rule. You have to configure it...

Karsten Iwen commented on Can you change the timeout settings on the ports on the Cisco ASA 5585? in Firewalling 1 month ago

Are you talking about connection-timeouts? That can be done with MPF.

Karsten Iwen commented on The VPN server is not enabled in VPN 1 month ago

The name of the public interface is "outside" by default, but it doesn't have to be that name. On...

Karsten Iwen commented on The VPN server is not enabled in VPN 1 month ago

Your config is missing the following: webvpn enable outside replace "outside" with the name of the...

Karsten Iwen commented on CLOCK SIGNAL ISSUE in ISR4431/K9 in Security and Network Management 1 month ago

Then you have to take the device under warranty (if possible). Ask a Cisco Partner for a quote:...

Karsten Iwen commented on CLOCK SIGNAL ISSUE in ISR4431/K9 in Security and Network Management 1 month ago

Download Replacement Product Order Spreadsheet from http://www.cisco.com/c/en/us/support/web/clock-...

Karsten Iwen commented on How an attacker spoof the source ip address in Firewalling 1 month ago

In a perfect word I would agree, but it seems that at least some ISPs don't follow these best...

Karsten Iwen commented on ASA CX module down state in Firewalling 1 month ago

I remember something from a long time ago where I had a similar malfunction. After removing the SSD...

Karsten Iwen commented on Meraki MDM Licence part codes? in Security and Network Management 1 month ago

This promotion was stopped some time ago. You get the first month free with full support, but the...

Karsten Iwen commented on Is it still safe to use Ikev1 VPNs? in VPN 1 month ago

If you implement your VPNs in a correct and way with strong crypto, it's very likely that your VPNs...

Karsten Iwen commented on Network 10.1.1.0/31 in WAN, Routing and Switching 1 month ago

In addition to what Georg explained, you can read more about it in RFC 3021 where this is defined.

Karsten Iwen commented on Moving to SSH version 2 from compatible mode - Do i need to re-generate keys? in AAA, Identity and NAC 1 month ago

Here is a guide for enabling SSH: https://supportforums.cisco.com/document/12338141/guide-better-...

Karsten Iwen commented on Two subnets on ASA5510 in Firewalling 1 month ago

What problems should that be? And you should better upgrade to the newest 9.1(7) interims-version.

Karsten Iwen commented on Two subnets on ASA5510 in Firewalling 1 month ago

And not to forget "arp permit-nonconnected" which is needed in this scenario.

Karsten Iwen commented on IOS ACL to restrict DNS except to OpenDNS in Other Security Subjects 1 month ago

it's also important for big DNS-answers. Here are two very good documents on that: https://tools....

Karsten Iwen commented on invalid key in VPN pre share key in VPN 1 month ago

I'm not aware of the Small-Business-line. But at least the IOS-based devices and also the Cisco...

Karsten Iwen commented on invalid key in VPN pre share key in VPN 1 month ago

It's quite common that VPN-devices have unsupported characters for the PSK. To make it worse,...

Karsten Iwen commented on IOS ACL to restrict DNS except to OpenDNS in Other Security Subjects 1 month ago

OpenDNS is 208.67.222.222 and 208.67.220.220 when using IPv4. Make sure to also allow TCP/53 in...

Karsten Iwen commented on Setup ASa and firepower in Firewalling 1 month ago

Here is a starting document: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/...

Karsten Iwen commented on Capture Ike Phase 1 packets in Firewalling 1 month ago

with that capture you could miss some of the Phase1-packets depending on the infrastructure and...

Karsten Iwen commented on ASA - switchport voice VLAN in Firewalling 1 month ago

No, that's not supported. And there is also no CDP to signal the voice-vlan to the phone. But you...

Karsten Iwen commented on Security Plus license required for VLAN trunking on ASA 5506-X? in Firewalling 1 month ago

It is supported in the base license. The Base-restrictions are relaxed compared to the 5505.

Karsten Iwen commented on How to allow Only https to communicate with the Office web server in Other Security Subjects 1 month ago

The highlighted line allows SQL from the whole internet to your internal server which is always a...

Karsten Iwen commented on Dmz in Firewalling 1 month ago

This is not that easy to answer as it can get quite complex ... Please start by reading some...

Karsten Iwen commented on ASA vpn forward between tunnels in VPN 1 month ago

Take a look at the following document: https://supportforums.cisco.com/document/12015091/cisco-asa-...

Karsten Iwen commented on Upgrade from ASA 5520 to ASA 5508-X in Firewalling 1 month ago

If you were on a quite recent release on the 5520, then you can take the config and just replace...

Karsten Iwen commented on Multi-context ASA use of admin context in Firewalling 1 month ago

You can use it as a "normal" traffic passing context. You just shouldn't give it to a context-...

Karsten Iwen commented on ASA firewall failover in LAN, Switching and Routing 1 month ago

The active unit will always have the IP 192.168.0.1, regardless if that is the primary or the...

Karsten Iwen commented on ISE GUI Access in AAA, Identity and NAC 1 month ago

If you can't even ping it, you have to troubleshoot the network-settings of the VM. The ISE needs...

Karsten Iwen commented on ISE GUI Access in AAA, Identity and NAC 1 month ago

You can access the GUI with your browser (Firefox or Chrome preferred) with https://fqdn-of-your-...

Karsten Iwen commented on Split DNS in Firewalling 1 month ago

It is not supported on the ASA. You have to use an external device (like a server or an IOS router...

Karsten Iwen commented on Encryption-3DES-AES disabled on Cisco 5510 in Firewalling 1 month ago

You need to write a mail to [email protected] and ask them for a combined license.

Karsten Iwen commented on Per domain forward for DNS in LAN, Switching and Routing 1 month ago

You can configure that on IOS. Here is an example that I use for branch-offices with local internet...

Karsten Iwen commented on Nat from Public IP to Internal Server using Custom TCP Port in Firewalling 1 month ago

On the legacy ASA it's the static-command to do the NAT. The ACL has to reference the translated (...

Bio

I started my work in the IT at about 1995/1996 as a freelance Trainer and consultant with a focus on networking, Novell NetWare and Microsoft Backoffice. In 2001 I started teaching Cisco classes at Global Knowledge in Germany. Since 2003 I'm again Freelancer with a strong focus on security technologies and infrastructure.
And yes, you can hire me for your security-projects and security-workshops. ;-)

User Badges:
  • Badge.
    Purple
    4500 points or more
  • Badge.
    Community Spotlight Award

    Mobile App Contributor August 2012

  • Badge.
    Cisco Designated VIP

    2017 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2016 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2015 Security

  • Badge.
    Cisco Designated VIP

    2014 Security

  • Badge.
    Cisco Designated VIP

    2013 Security

Karsten Iwen's Stats

Points7743
Discussion started 18
Answers marked as Correct 1005
Endorsed 39
Content Rated 99