Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About David Niemann
David Niemann
Participant
Experienced Senior Network Engineer with specialty of Security
Recent Badges
Stats
Member since
01-10-2005
216
Posts
34
Helpful
4
Solutions
06-28-2018
06:19 AM
You can either generate a self-signed certificate and have it pushed to your workstations as a trusted CA cert via Windows GPOs or if you have a PKI generate a cert for the WSA that will be trusted by your domain.
... View more
Created by
David Niemann
in Web Security
in Web Security
03-24-2018
07:36 AM
03-24-2018
07:36 AM
I would think as long as you follow the same directions for the most recentl version of Windows server it should still work. Using the permissions changes on the DCs shouldn't have changed that much. Keep in mind I believe CDA will be going away in favor of ISE-PIC so you may want to look into that. As of yet I don't think the WSA code supports it yet, but I do believe it's coming. I'm still using CDAs for my transparent authentication, but I have ISE enabled for passive authentication and I can see how WSA will be able to get what it wants from that.
... View more
03-08-2017
04:11 AM
I believe there are GPOs available now for managing Firefox and Chrome in a domain environment.
... View more
01-09-2017
05:45 PM
Can you post some of the logs from the access logs when the site is accessed?
... View more
01-03-2017
08:08 AM
This config actually worked for me. I had an issue with the L2L tunnel the traffic was utilizing causing it to be dropped. Once the L2L tunnel as up it worked as planned.
... View more
Created by
David Niemann
in Application Networking
in Application Networking
11-21-2016
02:10 PM
11-21-2016
02:10 PM
Trying to set up a bidirectional connection that source NATs all rserver initiated connections to the same IP as the inbound VIP. I think I have the config right, but it doesn't seem to work. The IP that should be used for all comms is a VIP of 172.31.0.176 which you will see in the NAT pool. the 172.31.0.178 was created as a VIP for the rservers to send outbound to which will be source NATed to the 172.31.0.176.
rserver host RS_XXX_CORP_SMARTHOST_1 description XXX CORP SMARTHOST FOR EMAIL ip address 5.5.5.5 inservice
serverfarm host SF_EXC2013_SMTP_OUTBOUND description Exchange 2013 SMTP predictor leastconns rserver RS_XXX_CORP_SMARTHOST_1 25 inservice
sticky ip-netmask 255.255.255.255 address source Sticky_SrcIP_EXC2013_SMTP_OUTBOUND serverfarm SF_EXC2013_SMTP_OUTBOUND replicate sticky
class-map match-any VS_EXC2013_SMTP_OUTBOUND description Exchange 2013 SMTP Outbound 2 match virtual-address 172.31.0.178 tcp eq smtp
policy-map type loadbalance first-match EXC2013_SMTP_OUTBOUND class class-default sticky-serverfarm Sticky_SrcIP_EXC2013_SMTP_OUTBOUND
policy-map multi-match Farm_VIPS
class VS_EXC2013_SMTP_OUTBOUND loadbalance vip inservice loadbalance policy EXC2013_SMTP_OUTBOUND loadbalance vip icmp-reply active nat dynamic 6 vlan 511
interface vlan 511 description ACE-DMZ-front bridge-group 1 mac-sticky enable access-group input BPDU access-group input ANYONE nat-pool 6 172.31.0.176 172.31.0.176 netmask 255.255.255.0 pat service-policy input PM_AdminAccess service-policy input Farm_VIPS no shutdown
... View more
- Tags:
- ACE SNAT
Labels:
05-25-2016
12:58 PM
I have a pair of S380 WSAs using WCCP redirect from an ASA. I'm doing http and https proxying. The clients all have the certs of the WSAs to enable the decryption. The WCCP load balancing is done by destination (the default). I have random users throughout the day that experience periods of not being able to load web pages. Any browser is affected and it's very random and doesn't affect all users. I've tried doing captures with TAC and have not been able to find a smoking gun of the root cause. At this point I've even removed one of the WSAs from the WCCP redirect so all users are going through a single WSA and I still hear complaints about it. I have actually seen a similar issue myself once. It's almost like the browser (all browsers) just stall and get stuck on loading. Then after a few minutes the page just all of the sudden fully renders. I'm about fed up with the incessant calls about Internet performance. If I bypass a user via WCCP redirect they have no issues. There are no tell tale issues in the logs. I've opened a few TAC cases, but the issues are so random I can never fully capture it in progress. I'm running WSA 8.0.8 and all proxies are managed by SMA. Anyone have any advice or recommendations? I'm about at the point of moving to AVC and URL blocking on the ASAs directly with Firepower and scrap the WSAs
... View more
- Tags:
- WSA WCCP ASA
Labels:
04-18-2016
10:25 AM
No changes other than more hosts showing up on the mac address block.. It's now at 2056. versus 43 under IPv4 which is more accurate.
... View more
04-14-2016
07:45 PM
I have this same issue, but I had the Zone already defined as the Inside arm of my ASA and the network was all RFC1918 addresses. I have correct hosts showing up under IPv4 hosts, but have 1583 hosts under MAC. I've just redefined the Network in my discovery policy to only be the true internal network private address block I'm using. I'll see if it changes.
... View more
03-03-2016
12:08 PM
Is it possible to configure an ASA to be used for VPN only in one arm mode? We use to have a VPN 3000 concentrator that worked in one-arm mode. It basically just provided VPN connectivity for users and NATed all their connections prior to be routed back out the same interface. I would assume using some flavor of hair pinning configuration would be required at a minimum.
... View more
- Tags:
- asa nat vpn
Labels:
02-20-2016
03:17 PM
I figured out how to rehome my licenses on Firesight and then have them be applied to the 5506X. I found another post regarding only copying the encrypted portion of the license and that worked. Previously I was copying the entire license. I was able to rehome the licenses to Firesight and then use them for managing the ASA.
... View more
02-17-2016
09:21 PM
I bought a 5506X with full services, Protection, Control, Malware and URL filtering. I had opened a TAC case for troubleshooting some issues I was having with policy applications. The TAC engineer suggested I use Firesight to manage the ASA (v9.5.2) instead of the ASDM (v7.5.2). I'm running Firepower v6.0.0-1005. The TAC engineer gave me eval licenses to put on FireSIGHT. It was my understanding that I could rehome the licenses for the 5506X to FireSIGHT. He indicated that I should have the right to run FireSIGHT with my 5506X with the full services that I bought. The eval licenses on FireSIGHT have expired and now it won't apply any of the rules because it says the subscription has expired. Are we required to have licenses for the 5506X as well as additional licensing for FireSIGHT? While the eval licenses expired, the licenses on my 5506X don't expire until June.
... View more
Labels:
01-19-2016
04:56 AM
I did just that. Shut it down, reseated the drive and now I'm able to recover the sfr. Thanks!
... View more
06-28-2018
You can either generate a self-signed certificate and have it pushed to
your workstations as a trust...
03-24-2018
I would think as long as you follow the same directions for the most
recentl version of Windows serv...
03-08-2017
I believe there are GPOs available now for managing Firefox and Chrome
in a domain environment.
01-03-2017
This config actually worked for me. I had an issue with the L2L tunnel
the traffic was utilizing cau...
Created by
David Niemann
in Application Networking
11-21-2016
11-21-2016
Trying to set up a bidirectional connection that source NATs all rserver
initiated connections to th...
05-25-2016
I have a pair of S380 WSAs using WCCP redirect from an ASA. I'm doing
http and https proxying. The c...
04-18-2016
No changes other than more hosts showing up on the mac address block..
It's now at 2056. versus 43 u...
04-14-2016
I have this same issue, but I had the Zone already defined as the Inside
arm of my ASA and the netwo...
03-03-2016
Is it possible to configure an ASA to be used for VPN only in one arm
mode? We use to have a VPN 300...
02-20-2016
I figured out how to rehome my licenses on Firesight and then have them
be applied to the 5506X. I f...
02-17-2016
I bought a 5506X with full services, Protection, Control, Malware and
URL filtering. I had opened a ...
Public Statistics
| Date Registered | 01-10-2005 05:38 PM |
| Date Last Visited | 09-09-2019 01:34 AM |
| Total Messages Posted | 216 |
| Total Helpful Votes Received | 34 |
Helpful Votes Given To
.jpg "Hall of Fame Guru"){kind=icon}
Helpful Votes From
