Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About paultribe
06-18-2019
Stats
Member since
02-06-2009
100
Posts
0
Helpful
0
Solutions
09-06-2018
07:18 AM
Hi there The issue is I am doing a migrstion from juniper to cisco and the junipers were using a loopback for s2s VPNs to terminate on. This is not the same as the real address being migrated to the FTD outside interface. The customer has so many S2S VPNs they do not want to get all their clients to change the peer address they point to and I cannot use the loopback as the real address I have to use the real address migrated from the junipers. Regards Paul
... View more
09-05-2018
03:55 AM
I have an issue whereby I am migrating Juniper SSG firewalls that have multiple VPNs to Cisco FTD running FTD 6.2.3 software (Not ASA).
The problem is the Juniper SSG's terminate all the s2s VPN's on a loopback interface but the ASA cannot do this. As a workaround I thought to just add another physical interface on the FTD and use a /30 IP address which includes the old loopback; then just statically route towards the remote VPN's peer & proxy ID's via this extra interface. The problem is the ISP router has no free interfaces. I also suggested using sub interfaces between the FTD and the ISP router but that was also a no go. Oh and the other thing there are too many S2S VPN's for all the remote sides to change the peer address.
Does anyone know of any other way I can achieve this, In a lab I have tried creating a NAT entry that NAT's the loopback address to the outside interface address (That VPNs terminate on), as follows:
nat (outside,outside) source static REAL_VPN_INTF NATTED_VPN_INTF
I then put a static towards the NAT/loopback address on the "ISP" router but no joy, only that the NATTED address appeared in the ARP cache on the router; having not messed about with NAT that much to "fudge" things I have probably done this wrong.
Any help would be useful.
... View more
Created by
paultribe
in Intrusion Prevention and Detection Systems (IPS - IDS)
in Intrusion Prevention and Detection Systems (IPS - IDS)
12-20-2017
01:51 AM
12-20-2017
01:51 AM
Hi There TAC stated the database had become corrupt and they fixed it. They said it was due to the system being shut down improperly. You will need to raise this with TAC as it took multiple engineers quite some time to sort out. The only thing I would say is I do not remember shutting the system down incorrectly and the logging never work from the outset. Nevertheless they did a superb job sorting this out as I observed them working on via WebEx and it looked very complex in respect of the work they were doing Regards Paul Tribe
... View more
Created by
paultribe
in Intrusion Prevention and Detection Systems (IPS - IDS)
in Intrusion Prevention and Detection Systems (IPS - IDS)
10-15-2017
07:26 AM
10-15-2017
07:26 AM
This is a real pain, I have FMC 6.2.2 with two FTD 4110 appliances. In prestage event analisys worked fine - when I went live with an identical config on the FTD and FMC devices and an identical build it completely failed to work. The only difference is the hardware the virtual FMC resides on.
This should not be acceptable from Cisco as my FTDs were installed in a very complex environment. I had to proceed with the implementation with no logging which hampered our install in respect of troubleshooting - and who foots the bill for the additional time it takes to deliver to our customer.
I am awaiting a TAC response but I am not happy as this was so unexpected when going to implementation and did not impress our customer.
Whatever happened to proper UAT Cisco?
... View more
Created by
paultribe
in Other Network Architecture Subjects
in Other Network Architecture Subjects
01-27-2017
02:20 AM
01-27-2017
02:20 AM
I am getting the error - " Failed health check since device is stuck in non-terminal state DEVICE_INFO_REQUESTED for more than threshold time: 0 hours, 16 minutes, 0 seconds", I had a search and found the following Bug " Bigger image deployment is failing in PnP with APIC-EM CSCuy57714", which suggests this is an issue with slow WAN links. This cannot be the case as the slowest link between the stack and APIC-EM is 100 Mbits/s and it is only 2 hops away. The bug can be found at: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy57714/?referring_site=bugquickviewclick I should say that a single switch provisions fine.
Can anyone offer any advice please.
============================
It appears the 2960XR are not supported until release 1.4 as per another community discussion in case anyone else is having the same issue: https://communities.cisco.com/thread/77312?tstart=0
============================
... View more
Labels:
02-26-2015
05:10 AM
Thank you all for your comments, much appreciated. Apologies for my delayed reply. I am still a little confused (Apologies but I normally work with routers, switches and firewalls etc so not had much exposure to email filtering using TLS etc). To be clear: 1) I get a certificate for each IronPort in the cluster that matchs the DNS A records for the MX record. 2) To enable TLS for domains outbound and outside of my "customer" I could do the following:- - Match the domain(s) in destination controls. 3) To enable TLS Inbound to my public listener (E.g. InBoundMail) I could do the following:- - Match the domains I expect to receive TLS encrypted email from in a sender group. - Create a mail policy that has TLS enabled. - Associate the new sender group with the new TLS mail policy and place at top of the HAT. So the above deals with all email exchanged between the Internet and my public listener which raises a big question for me - How to I ensure TLS works between the IronPort and my internal domain ??? Is this also configured under destination controls ??? Again, apologies for my confusion. And finally what is the best process to ensure one certificate is asigned to the listeners of one of the machines in the cluster and the other is assigned to the other machine in the cluster. I tried using the management override and found that configurations were not syncing properley.
... View more
02-26-2015
05:08 AM
Thank you for all your comments, much appreciated. Apologies for my delayed reply. I am still a little confused (Apologies but I normally work with routers, switches and firewalls etc so not had much exposure to email filtering using TLS etc). To be clear: 1) I get a certificate for each IronPort in the cluster that matchs the DNS A records for the MX record. 2) To enable TLS for domains outbound and outside of my "customer" I could do the following:- - Match the domain(s) in destination controls. 3) To enable TLS Inbound to my public listener (E.g. InBoundMail) I could do the following:- - Match the domains I expect to receive TLS encrypted email from in a sender group. - Create a mail policy that has TLS enabled. - Associate the new sender group with the new TLS mail policy and place at top of the HAT. So the above deals with all email exchanged between the Internet and my public listener which raises a big question for me - How to I ensure TLS works between the IronPort and my internal domain ??? Is this also configured under destination controls ??? Again, apologies for my confusion. And finally what is the best process to ensure one certificate is asigned to the listeners of one of the machines in the cluster and the other is assigned to the other machine in the cluster. I tried using the management override and found that configurations were not syncing properley.
... View more
Created by
paultribe
in Email Security
in Email Security
01-31-2015
01:39 AM
01-31-2015
01:39 AM
My Sceanrio I have two IronPort deviecs and I need to enable TLS for certain external and internal domains. I belive I understand how to confgure this but really do not know what certificate to purchase. Therefore can anyone please help with the following questions:- 1) When in cluster is an SSL certifcate required for all appliances in the cluster. 2) What type of certificate do you request from the provider (E.g. from Verisign or Thawte), they have so many different options. 3) Does the type of certificate depend on what you want to do can anyone give any examples. In my scenario, the customer needs to protect email they send and recive from multiple bu not all domains externally and multiple but not all domains internally. Can anyone help please ? Regards Paul
... View more
Labels:
Created by
paultribe
in Email Security
in Email Security
08-11-2014
04:33 AM
08-11-2014
04:33 AM
I have a cluster of 2 IronPort ESA appliances and one of these is faulty and will not boot. I am awaiting a replacement from Cisco. I cannot find an exact guide that explains how to re-instate the new appliance to cluster and therefore am making an assumption that the easiest way to do this is as follows:- 1) Physically connect the new device. 2) Login with console and ensure the new device has centralised management feature and all other keys. 3) Configure the management interface with the original machine level IP address from the old configuration of the faulty device. 4) Use Clusterconfig command to join new device to cluster. The only thing I am concerned about is licensing and serial numbers. I seem to remember that the primary cluster device will check the serial number at some point and therefore if its a new device then it will not join the cluster. If this is the case then I assume we would have to remove the orignal device from cluster and add the new one as a brand new one. This would mean all other machine level configuration would be lost such as IP addresses of Data interfaces and DNS names etc. Can anyone clarify please. Also can anyone point me to which configuration is required for machine level only. Regards Paul Tribe
... View more
Labels:
05-06-2014
01:25 PM
Thank you very much for your response I will be speaking to customer very soon and now feel very confident I understand what is required. If you don't mind can I ask a couple of final questions:- 1) I typically work with PKI on routers (DMVPN/IPSec phase 1 auth), so it is always clear where we need to distribute certificates and who requires encrypted tunnels. With email it seems a little more distorted though. Would you say it is normal for a customer who owns a domain (my customer), to know which domains they can exchange TLS mail with, i.e.Creating a new destination control for the domain you can send TLS mail to. 2) To enable TLS inbound you say "If there is only one sender then create a new sender group and add the senders IP address in that new sender group. Apply a mail flow policy with TLS enabled, either preferred or required.". This is where I get confused with IronPort. As i understand it no senders have to be specified here as email is received from any MTA. I do not have any senders specified here so do I simply add the the new sender group to the HAT policy and reference a new mail policy with TLS enabled and NO senders ? Thanks.
... View more
05-01-2014
04:13 AM
Hi Can anyone suggest the best way to configure TLS based on my requirements outlined below. It seems there are various ways to do this and I admit I am a little confused. Also its been a while since I have been tasked with working on ESA's. My environment:- 2 x IronPort ESA in cluster with Inbound Public listener and OutBound Private listener. 1 IP address per listener. 1 MX / A record per Public listener. SMTP routes to several internal mail servers. No load balancers, DNS preference used in MX. MY requirement:- I am required to configure TLS support Inbound and outbound to 1 of the internal domains. As I understand it from my "research", I would need to generate a CSR on each machine and submit this to a CA such as Verisign at which point they would return the certificate signed and their trusted root. I would then import the certificates on each machine. At this point I can then enable TLS as follows:- Outbound in [Mail Policies > Destination Controls]. Inbound in [Mail policies > HAT Overview > mail flow policies]. Assuming the above is correct, (please feel free to remark), my questions are as follows:- 1) When I do the CSR what information is key for the trust relationship to work. For example is the DNS name used for the MX important. 2) When I send the CSR to the CA they have lots of certificate options. The IronPort admin guide states I need a X.509 certificate do I simply ask for this. 3) As I am receiving / sending email from several domains how do I lock this down so that only one particular domain uses TLS. - For Inbound do I just enable TLS on all policies and set it to preferred. - For Outbound do I just set default destinations controls to TLS preferred. As I said I have not worked on IronPort for a while so have been thrown a hot potato here. Unfortunately the system is processing email for several domains and there is zero tolerance on downtime so any help on this would be much appreciated. I worry about the impact such changes may have.
... View more
Labels:
11-12-2012
12:48 AM
Hi I am new to this ASA and I believe there are some old rules that actually are not required, mainly the dynamic PAT rules. Are you saying that because these exist they are affecting NAT exemnption from working, the exemption rules did work OK prior to 8.4(4)1 being installed. Basically we have a VPN group which gets its IP addresses from the address range 10.58.1.0 / 24, whom have to access servers on subnet 222.216.126.0 / 24. This subnet is located on another firewall. The config pertaining to all this is as follows: name 222.216.120.0 Public_DMZ object network Public_DMZ subnet 222.216.120.0 255.255.248.0 route XXX_INT Public_DMZ 255.255.248.0 Nokia_VIP 1 (Could it be this route that is causing the problem, as it is not specific enough as as the object above). I am not sure which NAT rule in 8.3 allowed the access to work. I would have thought the rule may look something like this, but I am new to ASA 8.4. object network Public_DMZ subnet 222.216.120.0 255.255.248.0 object network obj-10.58.1.0 subnet 10.58.1.0 255.255.255.0 nat (XXX_INT,outside) source static obj-10.58.1.0 obj-10.58.1.0 destination static Public_DMZ Public_DMZ no-proxy-arp route-lookup This rule exists but is below another rule (See below), which is being hit first. nat (XXX_INT,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup
... View more
11-08-2012
07:48 AM
Since we upgraded our ASA from 8.3 to 8.4(4), VPN users cannot access resources. This worked fine until the appliances were upgraded. We get the message: 5|Nov 08 2012|14:56:33|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure 5|Nov 08 2012|14:56:21|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure 5|Nov 08 2012|14:56:15|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure 5|Nov 08 2012|14:56:12|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure I know this is a NAT problem and our NAT rules are as follows, can anyone suggest a fix (Note I have changed IPs and names for security): nat (XXX_INT,outside) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0 no-proxy-arp route-lookup nat (XXX_INT,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup nat (EMBC-INT,outside) source static obj-10.60.0.0 obj-10.60.0.0 destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup description NAT exemption for AnyConnect connections to Schools Servers nat (XXX_INT,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup nat (XXX_INT,outside) source static obj-10.58.1.0 obj-10.58.1.0 destination static Public_DMZ Public_DMZ no-proxy-arp route-lookup nat (XXX_INT,XXX_INT) source static obj-10.58.1.0 obj-10.58.1.0 destination static Public_DMZ Public_DMZ no-proxy-arp route-lookup nat (XXX_INT,XXX_INT) source static Public_DMZ Public_DMZ destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup nat (XXX_INT,EMBC-EXT) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0 no-proxy-arp route-lookup nat (XXX_INT,EMBC-EXT) source static obj-10.58.1.0 obj-10.58.1.0 destination static Public_DMZ Public_DMZ no-proxy-arp route-lookup nat (XXX_INT,EMBC-EXT) source static Public_DMZ Public_DMZ destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup nat (XXX_INT,bogus) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0 no-proxy-arp route-lookup nat (XXX_INT,bogus) source static Public_DMZ Public_DMZ destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup nat (XXX_INT,outside) source static Supplies NAT-County-Supplies-Server destination static Iris_Networks Iris_Networks nat (XXX_INT,outside) source static obj-10.110.3.244 NAT-ASA-Internal destination static obj-192.168.57.0 obj-192.168.57.0 nat (XXX_INT,outside) source static L2L-IPSEC-LOGICA-LOCAL L2L-IPSEC-LOGICA-LOCAL destination static L2L-IPSEC-LOGICA-REMOTE L2L-IPSEC-LOGICA-REMOTE no-proxy-arp route-lookup nat (XXX_INT,outside) source static Supplies NAT-County-Supplies-Server destination static obj-192.168.57.0 obj-192.168.57.0 nat (EMBC-INT,outside) source static NETWORK_OBJ_10.60.0.115 NETWORK_OBJ_10.60.0.115 destination static NETWORK_OBJ_172.18.143.0_28 NETWORK_OBJ_172.18.143.0_28 no-proxy-arp route-lookup nat (XXX_INT,outside) source static AP22-0029 Chipside_NAT_AP22 destination static Chipside_Payment_Processing Chipside_Payment_Processing nat (outside,outside) source dynamic obj-10.58.1.0 interface destination static Extranet-DMZ Extranet-DMZ description NAT connections to Extranet VPN servers behind the ASA's Extranet DMZ interface nat (outside,outside) source dynamic L2L-IPSEC-LOGICA-REMOTE interface destination static Extranet-DMZ Extranet-DMZ description NAT connections to Extranet VPN servers behind the ASA's Extranet DMZ interface nat (XXX_INT,XXX_INT) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0 nat (XXX_INT,XXX_INT) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.1.0.0 obj-10.1.0.0 nat (XXX_INT,XXX_INT) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.58.1.0 obj-10.58.1.0 ! object network obj_any nat (EMBC-INT,outside) dynamic obj-0.0.0.0 object network obj_any-01 nat (EMBC-INT,EMBC-EXT) dynamic obj-0.0.0.0 object network obj_any-02 nat (EMBC-INT,bogus) dynamic obj-0.0.0.0 object network obj_any-03 nat (XXX_INT,outside) dynamic obj-0.0.0.0 object network obj_any-04 nat (XXX_INT,EMBC-EXT) dynamic obj-0.0.0.0 object network obj_any-05 nat (XXX_INT,bogus) dynamic obj-0.0.0.0 object network obj_any-06 nat (bogus,outside) dynamic obj-0.0.0.0 object network obj_any-07 nat (bogus,EMBC-EXT) dynamic obj-0.0.0.0
... View more
Labels:
Created by
paultribe
in VPN and AnyConnect
in VPN and AnyConnect
08-10-2012
05:10 AM
08-10-2012
05:10 AM
That's brilliant thanks a lot - much appreciated Sent from Cisco Technical Support iPhone App
... View more
09-06-2018
Hi thereThe issue is I am doing a migrstion from juniper to cisco and
the junipers were using a loop...
09-05-2018
I have an issue whereby I am migrating Juniper SSG firewalls that have
multiple VPNs to Cisco FTD ru...
12-20-2017
Hi ThereTAC stated the database had become corrupt and they fixed it.
They said it was due to the sy...
10-15-2017
This is a real pain, I have FMC 6.2.2 with two FTD 4110 appliances. In
prestage event analisys worke...
Created by
paultribe
in Other Network Architecture Subjects
01-27-2017
01-27-2017
I am getting the error - "Failed health check since device is stuck in
non-terminal state DEVICE_INF...
02-26-2015
Thank you all for your comments, much appreciated. Apologies for my
delayed reply.I am still a littl...
02-26-2015
Thank you for all your comments, much appreciated. Apologies for my
delayed reply.I am still a littl...
Created by
paultribe
in Email Security
01-31-2015
01-31-2015
My SceanrioI have two IronPort deviecs and I need to enable TLS for
certain external and internal do...
08-11-2014
I have a cluster of 2 IronPort ESA appliances and one of these is faulty
and will not boot. I am awa...
05-06-2014
Thank you very much for your response I will be speaking to customer
very soon and now feel very con...
05-01-2014
HiCan anyone suggest the best way to configure TLS based on my
requirements outlined below. It seems...
Created by
paultribe
in VPN and AnyConnect
08-10-2012
08-10-2012
That's brilliant thanks a lot - much appreciated Sent from Cisco
Technical Support iPhone App
Public Statistics
| Date Registered | 02-06-2009 02:06 AM |
| Date Last Visited | 06-18-2019 09:17 AM |
| Total Messages Posted | 100 |
