Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About lfkentwell
08-18-2017
Stats
Member since
02-29-2012
19
Posts
0
Helpful
0
Solutions
Created by
lfkentwell
in Email Security
in Email Security
10-02-2012
10:13 PM
10-02-2012
10:13 PM
I have setup an Ironport with TLS in prefered mode. If I telnet to the device and issue starttls it returns go ahead with tls which I take as a good sign. What I want to do it fully test it by actually sending an email via telnet over TLS. Can anyone suggest how to achieve this.
... View more
Labels:
Created by
lfkentwell
in Email Security
in Email Security
09-19-2012
03:13 PM
09-19-2012
03:13 PM
Yes I eneded up looking at that but to be honest wasnt sure if that would work or not. If it doest then great.
... View more
Created by
lfkentwell
in Email Security
in Email Security
09-18-2012
08:09 PM
09-18-2012
08:09 PM
I want to setup a content filter that does a certain action but I want the condition to be if the message came from an email address in a list of source addresses. I seem to only be able to apply one. I really dont want to have to create 200 condition statments just to match someone in a list or addresses. Cant use an LDAP becuase these are incoming addresses so they dont appear in my LDAP Any idea?
... View more
Labels:
Created by
lfkentwell
in Email Security
in Email Security
09-10-2012
11:27 PM
09-10-2012
11:27 PM
I know the Ironport cluster is not like your traditional cluster where you have a VIP and redundant hardware to ensure seamless failover should a device fail. Im keen to hear then how others have achieved a Highly available state for incoming emails to 2 or more Ironport appliances with seamless redundancy.
... View more
Labels:
09-10-2012
07:45 PM
I know it is recomended to give an ironport ESA a public IP on a dedicated interface to take advantge of the reputation checking etc. I believe this is so it recieves the email frmo the original sender IP and if you put a relay between the Ironport and the original sender you break this. I know there is some things you can turn on in this case but my question is if I NAT from an external IP to the ironports internal IP this shouldnt loose the feature becuase the origin IP doesnt change and the connection is still direct to the ironport, not via a relay. Is this correct? Will i loose any functionality if I NAT the Ironport? Reason im asking is I dont have a free IP to give just to the Ironport but have others I can reuse since SMTP is not in use on these IP's.
... View more
Labels:
09-09-2012
07:37 PM
Can anyone help with what is probably a simple question. I will be pointing an ASA to use an RSA server fro 2 factor login using SDI. THere will be a primary and a replica (for redundancy) RSA server. Normally if you where pointing a windows machine to RSA you copy the sdconf.rec which tells the windows box there are 2 RSA servers to use if one is not available. WHen conifuring ASA to use RSA via SDI you dont copy a sdconf.rec I know when you first authenticate a nodesecret file is created on the ASA. my question is if you dont copy an sdconf.rec to tell the ASA there is a backup RSA server how do i tell the ASA there is a backup? Do i create 2 SDI servers in the asa config? Does the nodesecret which is automatically created tell the ASA there is a backup RSA server? Thanks.
... View more
Labels:
09-03-2012
03:36 PM
I built an ironport appliance recently, had ot all owrking fine was able to connect to managment interface etc. Then it was put back in its box and shipped to a Data Centre where is was installed but was not able to reach it on the managment. Plugged in a serial connection and I got this __NOTSET__> has there been a hardware failure possibly?
... View more
Labels:
08-02-2012
03:12 PM
Great that explains it thanks. From what im reading about ASA WCCP implemntation the client and the "proxy" have to both be reachable on the same interface as WCCP. You cant redirect the request to a "proxy" that might be sitting on a DMZ of another interface, is that correct? In this case what if the "proxy" is on another vlan that is still on the same interface, is that ok? What if the "proxy" is on another subnet, maybe even a different location. Is it still ok provided that is reached via the same interface the original request was recieved on? Also one more thing I read that there has to be a rule permitting the traffic for WCCP to intercept it. IS that correct? So that would mean if I want to recirect all traffic from host A out to te internet then not only do I have to put an ACL in the WCCP to redirect traffic from that host but there must also be a rule saying Host A on ANY port has a permit tot he internet? That seems risky to me, if your "proxy" goes down wont it just thne allow the traffic out? I would not want that. Thanks.
... View more
08-01-2012
07:36 PM
Can someone help clarrify some things. I read that WCCP is supposed to support failover. I want to WCCP redirect some web traffic to a proxy. If that proxy is not avvailable the I want to redirect it to another "backup" proxy but when looking at the WCCP settings in ASDM and the cli commands I dont see where yuo configure a second address to redirect to. How does this failover actually work?
... View more
Labels:
Created by
lfkentwell
in Intrusion Prevention and Detection Systems (IPS - IDS)
in Intrusion Prevention and Detection Systems (IPS - IDS)
07-24-2012
11:22 PM
07-24-2012
11:22 PM
I want to log into my IPS using my existing RSA SecurID using Radius. Is it possible to use a Radius attribute in the RSA to tell the IPS what privillege\role the user is? The idea is I dont create users on the IPS, if a user tries to logon it authenticates them via radius running on the RSA server and if the user is allowed to log onto that clietn IP (the IPS) then it will allow them to logon but also pass a message back to the IPS to say this person has full admin access. Is that possible using an attribute? ANy guidance would be great.
... View more
Labels:
04-17-2012
03:21 PM
Not sure if this is the right are but here it goes. I have a ACS server which uses a RSA server to perform authentication. I want to test a 2nd RSA server with the same ACS server but as far as I can tell I can only have one RSA server as an external DB. Is there a way to create 2 seperate RSA servers?
... View more
Labels:
04-11-2012
08:30 PM
I have a question. Users connect to ipsec VPN terminating on my ASA. Downstream from the ASA is another firewall and downstream of that is my DNS server. The admin of the firewall in the "middle" will not allow the IP's in the Pool assigned to the VPN users access through to perform DNS queries. If he allows the ASA access to perform DNS can I use the ASA as a DNS proxy\relay for the VPN clients? If not any other ideas other than getting the firewall admin to open up his firewall. Thanks.
... View more
Labels:
03-06-2012
03:26 PM
Awesome that helps. One last question. Assumig I dont want to restric them incoming I want them to be able to access any host inside my network. Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it? Thanks,
... View more
03-06-2012
01:14 PM
I have a pretty simple question. I am practicing my VPN client on an ASA setup. I've got a succesful tunnel running between a VPN client on a windows machine and even from an iPad.Now that I can establish a tunnel do i need rules to actually allow and restrict traffic? Can someone advise on what i need to do if I wanted to allow ping and http traffic only inbound ? Thanks.
... View more
Labels:
Created by
lfkentwell
in VPN and AnyConnect
in VPN and AnyConnect
03-03-2012
09:28 PM
03-03-2012
09:28 PM
I got this to work, there was a Xauth setting that I had to turn off to stop it from also asking for user credentials and it worked perfectly. It recognised the cert and verified it was issed by the CA I setup in the conifg. However this raises a bit of a concern. Say I use a public CA e.g. Verisign to provide a server cert and also have thme generate the client auth certs aswell. Now wouldnt that let anyone (from my company or not) connect to my VPN if they also have a client auth cert from the same public CA? I think this becuase I am not specifically identifying the user on something the user "knows". Yes I know this is not 2 factor but thats just how they want to do it. Can I set something in my ASA to look at th eclient cert and verifiy that it belongs e.g. look for my compnay name or even better the issued to User and I keep a list of the allowed users somewhere on the ASA. Thanks.
... View more
10-02-2012
I have setup an Ironport with TLS in prefered mode. If I telnet to the
device and issue starttls it ...
Created by
lfkentwell
in Email Security
09-19-2012
09-19-2012
Yes I eneded up looking at that but to be honest wasnt sure if that
would work or not. If it doest t...
Created by
lfkentwell
in Email Security
09-18-2012
09-18-2012
I want to setup a content filter that does a certain action but I want
the condition to be if the me...
09-10-2012
I know the Ironport cluster is not like your traditional cluster where
you have a VIP and redundant ...
09-10-2012
I know it is recomended to give an ironport ESA a public IP on a
dedicated interface to take advantg...
09-09-2012
Can anyone help with what is probably a simple question. I will be
pointing an ASA to use an RSA ser...
09-03-2012
I built an ironport appliance recently, had ot all owrking fine was able
to connect to managment int...
08-02-2012
Great that explains it thanks. From what im reading about ASA WCCP
implemntation the client and the ...
08-01-2012
Can someone help clarrify some things. I read that WCCP is supposed to
support failover. I want to W...
Created by
lfkentwell
in Intrusion Prevention and Detection Systems (IPS - IDS)
07-24-2012
07-24-2012
I want to log into my IPS using my existing RSA SecurID using Radius. Is
it possible to use a Radius...
04-17-2012
Not sure if this is the right are but here it goes. I have a ACS server
which uses a RSA server to p...
04-11-2012
I have a question. Users connect to ipsec VPN terminating on my ASA.
Downstream from the ASA is anot...
03-06-2012
Awesome that helps. One last question. Assumig I dont want to restric
them incoming I want them to b...
03-06-2012
I have a pretty simple question. I am practicing my VPN client on an ASA
setup. I've got a succesful...
Created by
lfkentwell
in VPN and AnyConnect
03-03-2012
03-03-2012
I got this to work, there was a Xauth setting that I had to turn off to
stop it from also asking for...
Public Statistics
| Date Registered | 02-29-2012 02:10 PM |
| Date Last Visited | 08-18-2017 03:54 AM |
| Total Messages Posted | 19 |
