Karsten Iwen

Member Since: Dec 21, 2006

User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

English
Karsten Iwen commented on FlexVPN over AT&T Switched Ethernet in VPN 3 days ago

FlexVPN is based on IPsec which runs over IP => If your circuit can run IP, then you can run...

Karsten Iwen commented on Problems installing Firepower software on ASA in Intrusion Prevention Systems/IDS 4 days ago

> I am running 9.8(1) on the ASA Are you using the latest interim-release? At least there was a...

Karsten Iwen commented on Problems installing Firepower software on ASA in Intrusion Prevention Systems/IDS 4 days ago

At least that is not how it should behave. I imaged plenty of modules directly with 6.2 and it...

Karsten Iwen commented on Problems installing Firepower software on ASA in Intrusion Prevention Systems/IDS 5 days ago

1) Which ASA version are you running? You need at least 9.5(2) for Firepower 6.2 and I would go...

Karsten Iwen commented on Firepower Threat Defense 6.2.2 in Firewalling 1 week ago

Yes: When it's ready ... ;-) (I'm also eagerly waiting, but as a long-time Debian user I learned to...

Karsten Iwen commented on Why is NAT needed between interfaces. in Firewalling 1 week ago

With that given NAT command you can't access the internal device without an additional static NAT....

Karsten Iwen commented on Why is NAT needed between interfaces. in Firewalling 1 week ago

NAT is not required and in situations like these normally not used. Did you configure "same-...

Karsten Iwen commented on permanently disable IPS module in an ASA in Intrusion Prevention Systems/IDS 1 week ago

I'm with Marvin here, after each reboot the module starts up again. But it doesn't cause any harm...

Karsten Iwen commented on object-group ACL issues in WAN, Routing and Switching 1 week ago

No, the object-group with the services is located correctly where normally the protocol is...

Karsten Iwen commented on Cisco VPN 3030 Concentrator in VPN 1 week ago

I don't remember what it was, I replaced my last concentrator nearly ten years ago ... I only...

Karsten Iwen commented on ASA Trustpoint config in VPN 1 week ago

You can look at the certificate with "show crypto ca certificate". But anyhow, if you export it on...

Karsten Iwen commented on ASA 5505 won't route traffic although packet-tracer shows all is well. in LAN, Switching and Routing 2 weeks ago

ok ... What about local firewalls on the PC? That would be a typical reason for this not to work....

Karsten Iwen commented on ASA 5505 won't route traffic although packet-tracer shows all is well. in LAN, Switching and Routing 2 weeks ago

What do you mean with "Hosts have the local interface of the router configured as default gateways...

Karsten Iwen commented on ASA Trustpoint config in VPN 2 weeks ago

The clients need to trust the VPN-Server. Is the certificate in ASDM_TrustPoint1 on the 5510 a self...

Karsten Iwen commented on Cisco VPN 3030 Concentrator in VPN 2 weeks ago

This device was not meant to work as a router although it was possible with some tweaks. But more...

Karsten Iwen commented on Decrypt Type 5 password in WAN, Routing and Switching 2 weeks ago

In addition to the practical hints of Mark and Georg we should look at some background information...

Karsten Iwen commented on two ISP links active Active Configuration in Firewalling 2 weeks ago

You don't need the update to use both ISPs. But if you want to configure some sort of outbound load...

Karsten Iwen commented on ASA 5520 with version 8.2(5) SHA-256 on ikeV1 in VPN 2 weeks ago

And remember that your ASA version has reached end of SW-Maintenance. You are putting your company...

Karsten Iwen commented on ASA 5520 with version 8.2(5) SHA-256 on ikeV1 in VPN 2 weeks ago

You have to move to IKEv2 if you want to use more modern crypto on the ASA. There you could use the...

Karsten Iwen commented on Cisco IPS sensor weak cipher in Intrusion Prevention Systems/IDS 2 weeks ago

You are running a software from October 2013and RC4 was still quite common that time. I don't...

Karsten Iwen commented on DHCP release in Firewalling 2 weeks ago

The "ip helper" feature is named "dhcprelay" on the ASA: http://www.cisco.com/c/en/us/td/docs/...

Karsten Iwen commented on Security license installation - Cisco 3845 router in LAN, Switching and Routing 2 weeks ago

> I suppose an AX bundle will include IP Base + AX + Security. Yes, the AX bundle includes...

Karsten Iwen commented on Security license installation - Cisco 3845 router in LAN, Switching and Routing 2 weeks ago

There is not much to upgrade on that device. Yes, there is a slightly newer IOS available (15.1....

Karsten Iwen commented on What does the port say Router?? in LAN, Switching and Routing 2 weeks ago

The port is your SVI, and that is a routed interface => Router.

Karsten Iwen commented on The difference between FWSM on C6509 and ASA?? in LAN, Switching and Routing 2 weeks ago

A reason to have both? You already took the outdated FWSM out of service but lost the filler plate...

Karsten Iwen commented on Firepower FPR 4100 FXOS upgrade Failure in Firewalling 2 weeks ago

Just a guess: Are you upgrading from an older release?Then you have to do some interim-steps: http...

Karsten Iwen commented on What does the port say Router?? in LAN, Switching and Routing 2 weeks ago

Yes, if you look at the mac-address of an end-system, you see the port that is used to reach that...

Karsten Iwen commented on What does the port say Router?? in LAN, Switching and Routing 2 weeks ago

This output depends on the platform you are using. If a mac-address belongs to the router/switch...

Karsten Iwen commented on Anyconnect 4.X Using ISE device only in VPN 2 weeks ago

No, the ISE is a AAA-server and can't act as a VPN-Gateway. For that you still have to use a...

Karsten Iwen commented on ASA5510 under constant TCP SYN attack in Firewalling 2 weeks ago

There is not that much that you can do here and "ip verify reverse-path" can't help as your default...

Karsten Iwen commented on Anyconnect 4.X Using ISE device only in VPN 2 weeks ago

What do you mean with "using ISE only"? In general: For using AnyConnect you need the right license...

Karsten Iwen commented on Issues with hyper-v VMs on ASA 5506 in Web Security 2 weeks ago

First make sure that you upgrade to the suggested ASA release (I would use the newest 9.6 interims-...

Karsten Iwen commented on Cannot apply policies after FMC upgrade in Intrusion Prevention Systems/IDS 2 weeks ago

Were you using 5.4 before that? I think you just missed the changed workflow on the 6.0+ FMC. There...

Karsten Iwen commented on Does Cisco ASA 5506 asa scan pptp traffic in VPN 3 weeks ago

Not related to your original question, but still important: You should not use PPTP any longer....

Karsten Iwen commented on SSH Restricted Source IP in Remote Access 3 weeks ago

You ACL is wrong. It has to be: permit tcp host xxx.xxx.xxx.1 any eq 22

Karsten Iwen commented on IPsec in VPN 3 weeks ago

Also important to mention: Practically, AH is non-existent in VPNs; only ESP is used today. But...

Karsten Iwen commented on DMVPN SPOKE BEHIND ISP ROUTER PERFORMING STATIC NAT in VPN 3 weeks ago

> You also need to allow ESP protocol as well. ESP doesn't need to be allowed. In a NAT/PAT...

Karsten Iwen commented on DMVPN SPOKE BEHIND ISP ROUTER PERFORMING STATIC NAT in VPN 3 weeks ago

Your above mentioned command is not needed as NAT-T is enabled by default in IOS. Do a "debug...

Karsten Iwen commented on ASA5515 Firewall setup on the same Physical switch in LAN, Switching and Routing 3 weeks ago

Don't do that! Never connect the internet and your internal resources on the same switch. Use...

Karsten Iwen commented on Enable login local in ASA 5520 in WAN, Routing and Switching 3 weeks ago

For enabling SSH, I wrote a document some time ago: https://supportforums.cisco.com/document/...

Karsten Iwen commented on Obfuscate password in CLI interface in VPN 4 weeks ago

I'm not sure if that will be possible, but what about migrating your AnyConnect-Client to use...

Karsten Iwen commented on ASA Unable to configure service on port 22, on interface 'Outside in LAN, Switching and Routing 4 weeks ago

You probably have already a port-forwarding for tcp/22 configured. Then the same port can't be used...

Karsten Iwen commented on Traffic encryption in LAN, Switching and Routing 4 weeks ago

In situations like these, I would go for MACsec where the switches do the link-encryption. This can...

Karsten Iwen commented on Closing Unused ports on my ASA in Firewalling 4 weeks ago

Are you running your tests from within a firewalled network? Repeat the test from a PC that is...

Karsten Iwen commented on ASA 5506-X license for Site to Site VPN and Failover in VPN 4 weeks ago

Be careful, on the 5506 you get redundancy, but not what the typical customer expects from High-...

Karsten Iwen commented on Cisco WLC 2504 HA (N+1) in Getting Started with Wireless 4 weeks ago

You could use Cisco prime for configuration which sends the config to both controllers. Today, I...

Karsten Iwen commented on Firepower NTP Temporal Anomaly in Firewalling 4 weeks ago

NTP always communicates the time as UTC without any DST-information. The summertime has to be...

Karsten Iwen commented on Site-to-Site VPN in VPN 4 weeks ago

Little (but relevant) typo: It has to read "two phase 2 SA's per crypto ACE". There could be more...

Karsten Iwen commented on Cisco web Security WSA-S190-K9 Deploy Validated design and Guide in Web Security 1 month ago

Here is a design Guide for the WSA: http://www.cisco.com/web/products/security/docs/web-security-...

Karsten Iwen commented on Cisco Email Security C190 Deploy Validated design and Guide in Email Security 1 month ago

First go through the Cisco Design Guide. If there are any more questions, just come back ... http...

Bio

I started my work in the IT at about 1995/1996 as a freelance Trainer and consultant with a focus on networking, Novell NetWare and Microsoft Backoffice. In 2001 I started teaching Cisco classes at Global Knowledge in Germany. Since 2003 I'm again Freelancer with a strong focus on security technologies and infrastructure.
And yes, you can hire me for your security-projects and security-workshops. ;-)

User Badges:
  • Badge.
    Purple
    4500 points or more
  • Badge.
    Community Spotlight Award

    Mobile App Contributor August 2012

  • Badge.
    Cisco Designated VIP

    2017 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2016 Firewalling, VPN

  • Badge.
    Cisco Designated VIP

    2015 Security

  • Badge.
    Cisco Designated VIP

    2014 Security

  • Badge.
    Cisco Designated VIP

    2013 Security

Karsten Iwen's Stats

Points7827
Discussion started 18
Answers marked as Correct 1016
Endorsed 41
Content Rated 101