Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About nathan demers
Stats
Member since
01-07-2012
32
Posts
0
Helpful
0
Solutions
10-26-2015
08:08 PM
I understand about 10% of what you are saying. 1/2 microphone and 1/2 accent. Sorry.
... View more
09-23-2015
05:43 PM
Wanted to follow up on the solution. The issue is the following: management-access Inside-166 That command allows me access the 192.168.166.1 address for management purposes but the 55.5 address is not accessible. If I change the management access command to Inside instead of Inside-166 then the 55.5 address is available for icmp. Once I setup ospf on the opposite side of the 55.x then I could reah the opposing side but could not manage the 55.5 still. So Anyconnect was not broken just giving a false representation of broken based on ignorance.
... View more
Created by
nathan demers
in VPN and AnyConnect
in VPN and AnyConnect
09-22-2015
10:06 AM
09-22-2015
10:06 AM
Here is the issue. Anyconnect connects and functions as intended for the split tunnel with a destination of 192.168.166.0/24 It does not work for 192.168.55.4 /30. The configuration is the same for both. I have static no nat statements and interesting traffic ACLs assigned. There is a little bit of extra code in here due to me playing with this to get it to work. I have not rebooted this yet because it is in production. I just need a sanity check because everything is identical for the two subnets. I want to be able to reach the Inside interface and the Inside-166 interfaces. This will prepare me for expanding access via anyconnect to additional resources internally. SSL-Anyconnect Working - 192.168.166.0/24 Broken - 192.168.55.4 /30 : Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores) : ASA Version 9.4(1) ! hostname examplecom-ASA domain-name examplecom911.com enable password KKZEMuUIl6k9bTx9 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ip local pool SSLClientPool 192.168.201.1-192.168.201.50 mask 255.255.255.0 ! interface GigabitEthernet0/0 description Global Internet for all devices - Minus 166 nameif Outside-Internet security-level 0 ip address 192.168.55.2 255.255.255.252 ! interface GigabitEthernet0/1 description DIA to Internet for 192.168.166.0/24 nameif Outside-166 security-level 0 ip address dhcp setroute ! interface GigabitEthernet0/2 description Subnet for Internet Access for 911 Call responders nameif Inside-166 security-level 100 ip address 192.168.166.1 255.255.255.0 policy-route route-map RM_166_INTERNET ! interface GigabitEthernet0/3 description Internal Global Network for all devices. nameif Inside security-level 100 ip address 192.168.55.5 255.255.255.252 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif MGMT security-level 0 ip address 192.168.174.250 255.255.255.0 ! boot system disk0:/asa941-smp-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns server-group DefaultDNS domain-name examplecom911.com same-security-traffic permit inter-interface object network PAT_166 subnet 192.168.166.0 255.255.255.0 object network ANYCONNECT_201 subnet 192.168.201.0 255.255.255.0 object network NETWORK_OBJ_192.168.201.0_26 subnet 192.168.201.0 255.255.255.0 object-group network 166-SUBNET network-object 192.168.166.0 255.255.255.0 object-group network NO_NAT_ANYCONNECT network-object 192.168.201.0 255.255.255.0 object-group network NO_NAT_ADMIN network-object 192.168.174.0 255.255.255.0 object-group network NO_NAT_VPN_166 network-object 192.168.166.0 255.255.255.0 access-list PBR_166_INTERNET standard permit 192.168.166.0 255.255.255.0 access-list PBR_DEFAULT_TRAFFIC standard permit any4 access-list 166_PUBLIC_IN extended permit ip 192.168.201.0 255.255.255.0 192.168.166.0 255.255.255.0 log access-list 166_PUBLIC_IN extended permit ip 192.168.201.0 255.255.255.0 192.168.55.4 255.255.255.252 log access-list INSIDE-166-ACL extended permit ip any any access-list INSIDE-IN extended permit ip any any access-list split-tunnel standard permit 192.168.166.0 255.255.255.0 access-list split-tunnel standard permit 192.168.174.0 255.255.255.0 access-list split-tunnel standard permit 192.168.55.4 255.255.255.252 pager lines 24 logging enable logging timestamp logging buffer-size 1000000 logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging debug-trace mtu Outside-Internet 1500 mtu Outside-166 1500 mtu Inside-166 1500 mtu Inside 1500 mtu MGMT 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-741.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (Inside-166,Outside-166) source dynamic any interface nat (Inside-166,Outside-166) source static any any destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup nat (Inside,Outside-166) source static any any destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup access-group 166_PUBLIC_IN in interface Outside-166 access-group INSIDE-IN in interface Inside ! route-map RM_166_INTERNET permit 10 match ip address PBR_166_INTERNET set interface Outside-166 ! router eigrp 1 network 192.168.166.0 255.255.255.0 network 192.168.55.4 255.255.255.252 ! route Outside-166 0.0.0.0 0.0.0.0 9.9.9.1 1 route MGMT 192.168.174.0 255.255.255.0 192.168.174.2 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.174.0 255.255.255.0 MGMT http 67.161.108.98 255.255.255.255 Outside-166 no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set TS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set TS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set TS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=192.168.174.250,CN=examplecom-ASA keypair ASDM_LAUNCHER crl configure crypto ca trustpoint localtrust enrollment self fqdn sslvpn.examplecom911.info subject-name CN=sslvpn.examplecom911.info keypair sslvpnkey crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0 --omitted-- crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto ikev1 policy 20 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 5 lifetime 28800 telnet timeout 5 ssh stricthostkeycheck ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access Inside-166 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.174.9 source MGMT prefer ssl trust-point localtrust Outside-166 ssl trust-point ASDM_Launcher_Access_TrustPoint_0 MGMT ssl trust-point ASDM_Launcher_Access_TrustPoint_0 MGMT vpnlb-ip webvpn enable Outside-166 anyconnect image disk0:/anyconnect-win-3.1.10010-k9.pkg 1 anyconnect enable tunnel-group-list enable error-recovery disable group-policy SSLCLient internal group-policy SSLCLient attributes banner value **************************** banner value Authorized exampleCom Admins Only banner value **************************** dns-server value 9.9.9.1 4.4.2.2 vpn-tunnel-protocol ssl-client re-xauth enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value examplecom911.info address-pools value SSLClientPool group-policy GroupPolicy_exampleCOM_ANYCONNECT internal group-policy GroupPolicy_exampleCOM_ANYCONNECT attributes wins-server none dns-server value 9.9.9.1 4.4.2.2 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value examplecom911.com split-tunnel-all-dns disable dynamic-access-policy-record DfltAccessPolicy username example_brad password Fk3MzOeAau1lt.2O encrypted username example_brad attributes service-type remote-access username examplecom password KF.aA.oQrkSpW2BY encrypted username example_josh password .PZSPsFZj/qTuAND encrypted username example_josh attributes service-type remote-access username example_jerry password KF.aA.oQrkSpW2BY encrypted username example_jerry attributes service-type remote-access tunnel-group SSLClient type remote-access tunnel-group SSLClient general-attributes default-group-policy SSLCLient tunnel-group SSLClient webvpn-attributes group-alias exampleCom-Admins enable class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 5 subscribe-to-alert-group configuration periodic monthly 5 subscribe-to-alert-group telemetry periodic daily Cryptochecksum:cc456cfabf1392fc7fefec51737a9a30 : end
... View more
Labels:
02-23-2015
10:58 PM
I think a more detailed answer here is required. Lets go back to the basics of vlan tags and what the end devices knows. Imagine the g 0/1 is used by a laptop. That laptop has no clue as to what vlan it is on. Wjy? The switch never notifies it of the vlan. the laptop wouldnt even know what to do with it because its irrelevant to it. When packets enter the switchport they are tagged. When they leave the switchport they are untagged. The same rule applies to two switches with access ports. As the frames leave an interface the tag is stripped and as it enters its added. So by all rights both switches are performing the same function considering the other an end device. This is why they are able to communicate. As for the trunk port a trunk cannot communicate with an access port because (lets assume dot1q tagging) trunks tag packets with dot1q tags or and the access port cant interpret those. One thing to consider is, it might be possible i have not tested this, is if the access port and native vlan on the trunk port were the same (both vlan 6) I think the trunk would have to be forced into "nonegotiate" in order for this to work. Not sure never tested it or considered it till now. Trunk allowed vlans do not need to match. From a hierarchy perspective the upstream switch can limit the vlans manually and the downstream switch can be left as a default trunk. This will work.
... View more
02-23-2015
10:46 PM
I think you best option is to listen to tporembski. He said that fa0 is not routeable. Try using a different port on the 3560x and see if that suits you better.
... View more
02-23-2015
10:46 PM
I think you best option is to listen to tporembski. He said that fa0 is not routeable. Try using a different port on the 3560x and see if that suits you better.
... View more
02-23-2015
10:40 PM
OK I have got to point out a couple things. 1. Do you really need to use telnet? (outside of the scope of your Q but its very insecure) 2. If you are telneting in via the management IP and you make that change in that order you are going to have a bad day. By removing the management vlan that exists you effectively remove the ability to remote into the machine. I suggest the reverse. Create interface vlan 10 and IP it. Test it then remove the Ip from vlan 1. You also do not need the no shut on an SVI. By default they are not shut. CONFIG interface vlan 10 ip add 192.168.1.1 255.255.255.0 vlan 10 name management !-----TEST CONNECTIVITY default interface vlan 1 int vlan 1 shut end wr
... View more
09-03-2014
06:58 PM
A few troubleshooting questions.. Is that vlan accessable/reachable by ISE? Can you ping it? Are you allowing ISE to speak snmp and RADIUS to the NAD? Do the snmp passswords match?
... View more
09-02-2014
07:30 PM
The only thing I could find was purging data in the MNT node. The default is 90 days. This doesnt apply because the profiles are store on the policy node. I dont think you can in an automated form. You could change the MNT to purge after 210 days and then run a report to see which macs have not authc in the passed 180 days. That will require excel and some scripting.
... View more
09-02-2014
07:16 PM
It sounds like you are trying to do two different things. The certificate can be done through 802.1x using peap I dont know if your devices can handle dot1x so if not they can use MAB. Far less secure but if its a low level device like a printer that has limited input capability then you are stuck with MAB. What you could do with MAB is use the OUI and some other identifying information (if available) like device host names (This can be derived from DHCP i believe) and possibly av pairs (RADIUS) to help profile the devices. These can be put into a custom endpoint profile that is given a specific authorization rule. The whole point is to try to isolate certain types of equipment so that only they get the custom authz rule Does this make sense? Im shooting a little blind here without more info.
... View more
Created by
nathan demers
in Policy and Access
in Policy and Access
09-02-2014
07:09 PM
09-02-2014
07:09 PM
Has anybody created the High and Low level designs for the NASP? This is my first time and its always easier to have a template to work off of than to reinvent the wheel. An incomplete example is displayed below but I was hoping someone had a complete one of high and low. Employee Authorization Rule Table of Contents for Employee Security Policy: I. Members pg. xxx II. Acceptable Use Policy pg. xxx III. Windows 7 Security Requirements pg. xxx 1. Approved AV Installed & Up-to-date pg. xxx a. Security checks pg. xxx b. Security rules pg. xxx IV. Network Access Permissions pg. xxx 1. VLAN Segmentation pg. xxx a. Noncompliant Posture VLAN pg. xxx b. Access VLAN Name/ID pg. xxx 2. Access Control List pg. xxx 3. SmartPort Macro pg. xxx 4. Security Group Tag number pg. xxx ... IV. Network Access Permissions 1. VLAN Segmentation – Yes a. Noncompliant Posture VLAN = quarantine-vlan/100 b. Access VLAN Name/ID = employees/10 2. Access Control List – Yes a. Compliant ACL = permit All IP b. Noncompliant ACL = 5 Permit TCP from any to “AUP web server” equaling 80 Description: Allow anyone to access the acceptable use policy link 64 Cisco ISE for BYOD and Secure Unified Access 10 Permit TCP from any to “Link based remediation resources” equaling 80 & 443 Description: Allow web traffic to the appropriate remediation resources 20 Permit TCP from any to “file based remediation” equaling 80 & 443 Description: Allow web traffic to the cam for remediation file distribution 30 Permit UDP from any to “dmz DNS Server” equaling DNS Description: Allow DNS only to the dmz dns server 40 Deny IP from any to any Description: Block everything else 3. SmartPort Macro – no 4. Security Group Tag number – 10
... View more
Labels:
07-14-2014
12:39 PM
Problem resolved, The issue was as follows. I was getting the above described error however the problem was that we have a WLC that relies on ISE for authentication. It also uses AAA override. More info here: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111100.html " It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server." The WLC does not not download the ACL like a switch does. ISE will send a radius response with the appropriate ACL for permissions. If there is a web redirect included that ACL will also have to be sent....thus that ACL will have to be created on the WLC as well. Keep in mind that the ACL name is all that really matters. It does not download the entire ACL. ISE merely send the ACL name and says use this ACL. If the WLC does not have it then it is forced to disconnect the client (or give no access.). This was my problem. I did not have the ACL redirect created on the WLC. So it would connect, get an ip, and attempt to redirect but it wasnt allowed to.
... View more
07-14-2014
07:57 AM
I have this same issue. Magically appeared this morning. Did you find a solution?
... View more
Created by
nathan demers
in Policy and Access
in Policy and Access
10-07-2013
01:00 PM
10-07-2013
01:00 PM
I know that 4.2 is pretty old but it could be relevant in future versions with 5.3 and ISE. I dont know. Topic: Implementing (permitting) subcommands under an Authorization Set. This was somehwat difficult for me to get working for the final step that I wanted. That was to Allow FastEthernet interfaces to be allowed by the help desk and deny GigabitEthernet. Reasoning being is all Gigabit ports are reserved for trunking. How I was able to solve this issue. SWITCH Previous AAA settings on 3750 switch aaa new-model aaa group server tacacs+ CSACS aaa authentication login default group CSACS local aaa authentication enable default group CSACS enable aaa authorization exec default group CSACS local aaa authorization commands 15 default group CSACS local aaa accounting commands 15 default start-stop group CSACS aaa session-id common Added command on switch aaa authorization config-commands This allows you to specify individual commands (to my understanding). ACS Shell Command Authorization Set If you want to allow fastethernet and deny gigabitethernet then do the following COMMAND interface ARGUMENT permit FasEthernet (case-sensitive!!!!!!) To allow switchport commands: switchport mode access and switchport access vlan denying explicitly switchport mode trunk. COMMAND switchport ARGUMENT deny mode trunk permit mode access permit access vlan Items to consider: 1. User settings trump group settings so if you give someone priviledge level 15 in their user settings instead of following group settings then they have acess to everything.) 2. shell exec needs to be turned on for user and group 3. The five ITEMS in 4.2 that you need to look at. User Setup Advanced TACACS+ Settings TACACS+ Enable Password Shell (exec) (RIGHT ABOVE ----> Shell Command Authorization Set) Shell Command Authorization Set Good luck.
... View more
Labels:
Created by
nathan demers
in VPN and AnyConnect
in VPN and AnyConnect
08-28-2013
12:06 PM
08-28-2013
12:06 PM
For everyone elses information the tunnel information is correct but the routes were incorrect. my default gateway was bad. route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.9 1 route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.9 1 route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.9 1 I was using the outside interface and I needed to send it to the default gateway of the OUTSIDE interface not the interface itself. So in theory it would be route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.1 1 route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.1 1 route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.1 1 Hope this helps others.
... View more
09-23-2015
Wanted to follow up on the solution.The issue is the following:
management-access Inside-166That com...
09-22-2015
Here is the issue.Anyconnect connects and functions as intended for the
split tunnel with a destinat...
02-23-2015
I think a more detailed answer here is required. Lets go back to the
basics of vlan tags and what th...
02-23-2015
I think you best option is to listen to tporembski. He said that fa0 is
not routeable. Try using a d...
02-23-2015
I think you best option is to listen to tporembski. He said that fa0 is
not routeable. Try using a d...
02-23-2015
OK I have got to point out a couple things.1. Do you really need to use
telnet? (outside of the scop...
09-03-2014
A few troubleshooting questions.. Is that vlan accessable/reachable by
ISE?Can you ping it?Are you a...
09-02-2014
The only thing I could find was purging data in the MNT node. The
default is 90 days. This doesnt ap...
09-02-2014
It sounds like you are trying to do two different things.The certificate
can be done through 802.1x ...
Created by
nathan demers
in Policy and Access
09-02-2014
09-02-2014
Has anybody created the High and Low level designs for the NASP? This is
my first time and its alway...
07-14-2014
Problem resolved, The issue was as follows. I was getting the above
described error however the prob...
Created by
nathan demers
in Policy and Access
10-07-2013
10-07-2013
I know that 4.2 is pretty old but it could be relevant in future
versions with 5.3 and ISE. I dont k...
Created by
nathan demers
in VPN and AnyConnect
08-28-2013
08-28-2013
For everyone elses information the tunnel information is correct but the
routes were incorrect.my de...
Public Statistics
| Date Registered | 01-07-2012 01:40 AM |
| Date Last Visited | 08-18-2017 03:54 AM |
| Total Messages Posted | 32 |
