Hello,   I wanted to get some clarification on the supported signatures for the 4260. I understand that the 4260 is no longer supported and to upgrade to the ASA55xx-x with IPS/IDS module. We are planning to upgrade sometime this year but our customer, in the mean time, wanted to know if we can enhance the security posture of the 4260's until the upgrade happens. According to the following link 7.1(11) is supported for new signatures but the 4260 is not: https://www.cisco.com/c/dam/en_us/about/security/ips/eos-faq-ips-signature-service.pdf If we upgrade our 4260 to 7.1(11) can we ingest the newer signatures or are the signatures device based and not IOS based? I just want to make sure I understand it correctly so that I can pass along the correct information.   Thanks ... View more

Hello, I am in need to verify that I have configured our ipsec tunnel to be FIPS compliant. Here is a sample that I created to make sure I am good: crypto ipsec ikev2 ipsec-proposal testing  protocol esp encryption aes-256 aes-192  protocol esp integrity sha-512 sha-384 sha-256 crypto ipsec ikev2 ipsec-proposal testing2  protocol esp encryption aes-256 aes-192  protocol esp integrity sha-512 sha-384 sha-256 I read the following document: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2176.pdf I am not sure if I am reading it correctly but didn't know if I could get some sort of consensus with the pros. Thanks ... View more

Hello, I saw that they revised the security notice for the SNMP vulnerability and listed the fixed software. I saw that 9.6.1(11) fixes this vulnerability but I only see (10) listed in the software downloads. I also noticed that Cisco has 9.6(2) released as of 8/24 but was curious if that version remedies the SNMP vulnerability as well. I reviewed the release notes and there is no mention of the SNMP vulnerability, at least that I can find. Can someone confirm that 9.6(2) fixes the SNMP vulnerability? Thanks ... View more

Hello, We have users logging into our webVPN site and I have configured a bookmark that leads to our internal web server that provides other hyper links to other internal web servers that show status of our products. So there are 5 hyperlinks on our web server that my bookmark leads to. 3 out of the 5 hyperlinks work as they lead to other URL's on different web servers. However, the other 2 links come back with an error message stating that the server is unavailable. As I combed through the logs I noticed that the hyperlinks that do not work are trying to access with certain TCP ports. The link, when tested on the inside host without going through the VPN, looks like this: https://<hostname>.gov:40000/ops/display. When I looked at the logs the firewall seems to strip the TCP out of the URL so it looked like this: https://<hostname>.gov//ops/display. The other links that work do not need to redirect to another TCP port as they are still using 443 (https). How would I successfully make the other 2 links functional if they need to redirect to another TCP port? Has anyone come across something similar? Thanks ... View more

Hello, We have a requirement to generate CSR's for our ACS 5.6 appliance and then upload the new certificate once it gets assigned to us. I was able to do this for the administrative web UI with no issues but getting the new certificate to load on the CIMC web UI is not working properly. I clicked on the link to Generate New Certificate Signing Request and was able to receive a CA certificate from our vendor. Every time I try to browse to the certificate and upload the file it comes back stating Certificate upload failed. Not sure what the issue is and was wondering if anyone else has had this problem before. Any help would be greatly appreciated. ... View more

Hello,   Is it possible for our security team to security scan all hosts on the network if they are using 802.1x authentication? I am trying to ensure that we can meet security scanning requirements and still use the 802.1x port-based authentication function. If not the other alternative is to use port security for end hosts. Any help/advice would be greatly appreciated.   Thanks ... View more

Hello,   I am currently planning on implementation of 4360 IDS system that will not be inline but monitoring the data VLAN on a switch. Someone asked me if I was going to create a blacklist and a whitelist for the IDS. Would that even be worth creating such lists if the device is not going to be inline with data flows? And they also stated that Cisco, when they push out new IPS/IDS signatures, that they have a default blacklist/whitelist within the code of the signatures. Is that correct?   Thanks ... View more

Hello, We had an instance where a piece of equipment failed that was connected to our 6509 switch. When we replaced the unit with same make and model, the device could not ping outside the VLAN. We performed a sh arp and then a sh mac-address-table | i <mac>. The MAC address was from the original unit, so we did a clear arp-cache and then a clear mac-address-table dynamic interface <int #>. The switch still showed the original mac address and not the new one. We have a Catalyst 3750 hanging off of the 6509, the 3750 can't ping it as well until we do a clear arp-cache. Once we do that, the 3750 can ping the spare device but not the 6509. After troubleshooting some more, we did a clear ip arp on the 6509 and then we were able to ping the new device. But when you do a show ip arp and a show arp, it looks like the same table. So our question is, what is the difference between the clear arp and clear ip arp? And would adjusting the arp timeout work in this case or should we just perform a clear ip arp whenever a device goes down when we replace it? Thanks ... View more