Hello, we have 2 ASA 5585X runnin asa 9.10(1)7and ASDM 7.10(1). We currently have the Gig0/1 interfaces on both devices with separate IP's in the same subnet for mgt purposes. We have created an IP on the mgt0/0 port on the primary ASA for OOB management and would like to do the same on the secondary ASA's mgt 0/0 port using an IP in the same subnet as mgt0/0 on Primary ASA. Right now when we attempt to use the ASDM to configure mgt 0/0 with the IP we get errors. It won't allow us to do this. Must we use a gig port configured to be a routable port or can this be achieved using the dedicated mgt ports? I did some googling but haven't found anything definitive. The ASA Admin guide didn't address this. ... View more

Hello, i'm trying to create a Cisco PI 3.1 Feature template to deploy crypto pki authenticate "TRUSTPOINTNAME" to edge switches. The configuration works on the switch; however, when I try to deploy th configuration it doesn't work. I have tried placing the key information in the template and I currently have it setup as below using a variable called $CERTIFICATE that is of type "text area" so I can add any key required without having it displayed in the template. I have tried to make use of the multi command line function, <MLTCMD>, and the interactive function to answer the questions. When I deploy the template I have terminal monitor configured on the switch and can see that the crypto key generate command for label SSHKEYS works; however when running show crypto pki trustpoint $TRUSTPOINTNAME I can see the name is created but the trustpoint itself is not.  The objective is to deploy configuration changes to our switches so we may use certificate based login via ISE to our edge devices so we may stop using username/passwords. Can someone provide some insight on how to manipulate the functions in Features and Templates to get this working? So close it seems but this is holding up my progress.   !#START of CLI Template crypto pki trustpoint $TRUSTPOINTNAME enrollment terminal revocation-check none authorization username alt-subjectname userprinciplename <MLTCMD> crypto pki authenticate $TRUSTPOINTNAME   ------BEGIN CERTIFICATE--------- ~key information deleted for brevity~ ------END CERTIFICATE-------- $COMPLETECERT #INTERACTIVE Do you accept this certificate? <IQ>[yes/no]: <R> yes #ENDS_INTERACTIVE</MLTCMD> crypto key generate rsa modulus $MODULUS label $LABLENAME usage-keys ip ssh server certificate profile user trustpoint verify $TRUSTPOINTNAME exit exit !#Crypto pki and crypto key generate ends here in ISE_PKIAuthenkey template ip ssh server algorithm hostkey ssh-rsa ip ssh server algorithm authentication publickey keyboard ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh server algorithm publickey x509v3-ssh-rsa   !#END of CLI Template    ej          ... View more

Hello, I'm struggling with some regex issues on my ACS command sets. I can of course block access to various commands and had blocked access to various interfaces; however, I'm unable to block access to our trunk interfaces while allowing access to our edge interfaces. Using: deny int* g1/1/1 deny int* g1/1/2 worked to keep low level admins out of those interfaces while allowing them access to: g1/0/1, g1/0/2 etc... I handled interface commands normally: deny switchport  Now I need to deny access to those very same interfaces, g1/1/1, g1/1/2 etc.. while allowing access go g1/0/1 - 24, g1/0/1 - 48 and also for stacks. I worked up a regex that I created from findings Googling around. permit int* g*([1-4/])*0/([1-4]|1[0-9]|2[0-9]|3[0-9]|4[0-8])$ should this be permit int* g*([1-4/])0\/1[0-8]|2[0-8]|3[0-8]|4[0-8])$ Our switches are 24 and 48 porters. So the stacks would range 1/0/1 - 24 or 48 and 2/0/1 - 24 or 48 etc.. up to 4 stacks. The second value should always be a zero.   ... View more