About kaachary

kaachary · ‎10-08-2018

Just bumping this one up as we have a few more requests like these and still haven't found any guidelines. We are anyway setting this up in lab, but anyone who has done this firsthand, please feel free to provide your inputs.

kaachary · ‎06-12-2018

Hi Team, One of my customers with an existing SDA deployment, has asked us to help them move from the "Default permit" to "Defauly Deny" in the Trustsec policies. Since this a brownfield deployment, we are little skeptical in doing this without getting the information on "what all to allow"? We have received the information about all destinations that specific SGT needs to access. The question is mostly about traffic that is not known and not tagged at this time e.g Control Plane and Management traffic from the switches. We would like to know the best approach to handle this without impacting the production. I can think of a couple of approaches, but need to know the additional details: 1: Putting the default deny in Trust Matrix in "Monitor" mode with log keyword in SGACL. This way we can monitor what all is hitting the deny rule, and then open accordingly. 2: Allowing all traffic to and from "Trustsec_Devices" SGT to "Unknown" SGT to cater to the control plane and management traffic. The first one seems time consuming, and will probably require us to go through a huge chunk of logs. The second approach has security issues. I was unable to find some documentation which provides a list of all control plane and management services that need to be opened in these scenarios. We would like to know how other customers have handled this. Please provide your valuable inputs.

kaachary · ‎03-09-2011

I see..I tried your configuration with the default policy in there, on 12.4. 15T4, and it worked for me. So, it doesn't seem to be a software version issue. Have you tried reloading this router? Is it possible for you to attach the full configuration of the router after hiding the addresses?

kaachary · ‎03-09-2011

By any chance, you do not have this statement in the config? crypto isakmp key address 0.0.0.0 0.0.0.0 no-xauth Since by default the IOS requires client to have xauth, so this no-xauth keyword will cause IOS not to accept the coinnection without xauth. Removing the statement or just the "no-xauth: keyword should work. But, if you you have dynamic L2L tunnel terminating on this router, they will fail. The correct way of configuring both is to use Iskamp profiles.

kaachary · ‎03-09-2011

"no crypto isakmp default policy" is supported since 12.4(20)T to disable the default isakmp suite. To be honest, router should still use the configured policy first, as the default has the least priority. What exact IOS version you are running? Let us know if disabling the default policy work.

kaachary · ‎03-09-2011

On PIX you need a policy static statement, access-list nat permit ip host 192.168.71.5 10.1.6.0 255.255.255.0 static (outside,outside) 172.16.3.71 192.168.71.5 access-list nat And modify the crypto ACLs appropriately to include the natted address.

kaachary · ‎02-28-2011

Can you provide the output of "debug aaa common 255" when you try to connect. You should be able to see the attribute returned in the debugs, and basis that create the DAP.

kaachary · ‎04-19-2010

Concentrator doesn't do inbound L2L NAT, hence the document is incorrect.

kaachary · ‎06-30-2008

Shouldnt your default route point to next-hop instead of the interface ip address itslef ?

kaachary · ‎06-30-2008

Can you post the output of : sh cry ipsec sa sh vpnclient from the EZvPN client.

kaachary · ‎06-30-2008

Looks like AES is not enabled on the remote site. If you do the changes here, make sure the similar changes are done on the remote vpn endpoint.

kaachary · ‎06-30-2008

Its an ongoing issue with vpn client. You should contact TAC for further updates. As a workaround, make the pcf file "Read-only".

kaachary · ‎06-30-2008

Doesnt look like a vpn problem anymore, just make sure the hosts in question do not have a Firewall installed.

kaachary · ‎06-30-2008

Keyword "any" is not supported in split tunnel ACL. Put specific networks, and you should be good to go.

kaachary · ‎06-30-2008

The config looks good. Is it not working for you. Also, for vpn clients coming from behind a nat/pat device, add this to the config : cry isa nat-t Aprat from that, you should be good to go.

kaachary · 12-08-2018

Please ignore, I think I know what you meant. When it's open, ISE is not involved unlike monitor mod...

kaachary · 12-08-2018

Hi Jason, Can open Auth be done for the same SSID, on a shared WLC, for a specific location (i.e. se...

kaachary · 12-08-2018

We are working on a deployment, where Customer has a shared WLC (shared among multiple sites), with ...

kaachary · 10-08-2018

Just bumping this one up as we have a few more requests like these and still haven't found any guide...

kaachary · 09-27-2018

Thanks Tim. In this case, we only have Macbooks. I am assuming ISE will only query for the MAC addre...

kaachary · 09-27-2018

I have a couple of questions on ISE and JAMF integration as MDM. What does ISE check with Jamf for c...

kaachary · 06-12-2018

Hi Team,One of my customers with an existing SDA deployment, has asked us to help them move from the...

kaachary · 04-03-2018

Thanks Tim, GregoryI am aware of the Service check for the agent. But the customer requirement speci...

kaachary · 04-02-2018

Customer has Forescout secureconnector installed on machines for Endpoint Compliance. They are evalu...

kaachary · 09-28-2017

With one of our ISE deployments, we are using the native supplicant in Windows 7 and doing a Machine...

kaachary · 03-09-2011

I see..I tried your configuration with the default policy in there, on 12.4.15T4, and it worked for ...

kaachary · 03-09-2011

By any chance, you do not have this statement in the config?crypto isakmp key address 0.0.0.0 0.0.0....

kaachary · 03-09-2011

"no crypto isakmp default policy" is supported since 12.4(20)T to disable the default isakmp suite.T...

kaachary · 03-09-2011

On PIX you need a policy static statement,access-list nat permit ip host 192.168.71.5 10.1.6.0 255.2...

kaachary · 02-28-2011

Can you provide the output of "debug aaa common 255" when you try to connect. You should be able to ...

Date Registered	‎10-11-2005 04:40 AM
Date Last Visited	‎07-24-2019 04:53 AM
Total Messages Posted	359
Total Helpful Votes Received	262

Re: Migating from Default Permit to Def...

Migating from Default Permit to Default...

Re: Preshared authentication offered bu...

Re: Preshared authentication offered bu...

Re: Preshared authentication offered bu...

Re: Hub and Spoke VPN with NAT

Re: Disallowing certain OU from logging...

Re: How to configure inbound NAT on the...

Re: From dmz connected another PIX and ...

Re: Easy VPN issue

Re: Trouble with ipseÑ vpn

Re: Corrupt pcf file how to prevent

Re: Pix to Pix VPN with no LAN

Re: VPN IPSec Client connectivity to AS...

Re: VPN on ASA 5505 can't work

Re: Shared WLC, SSID with Low Impact Mode

Re: Shared WLC, SSID with Low Impact Mode

Shared WLC, SSID with Low Impact Mode

Re: Migating from Default Permit to Default Deny in Trustsec Policies

Re: ISE w/ Jamf and SCCM as MDM

ISE w/ Jamf and SCCM as MDM

Migating from Default Permit to Default Deny in Trustsec Policies

Re: ISE Posture with Forescout Secureconnector integration

ISE Posture with Forescout Secureconnector integration

ISE 2.3 - Native Supplication Sporadic Behaviour

Re: Preshared authentication offered but does not match policy

Re: Preshared authentication offered but does not match policy

Re: Preshared authentication offered but does not match policy

Re: Hub and Spoke VPN with NAT

Re: Disallowing certain OU from logging into VPN.