Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About David Niemann
05-03-2019
David Niemann
Participant
Experienced Senior Network Engineer with specialty of Security
Recent Badges
Stats
Member since
01-10-2005
216
Posts
34
Helpful
4
Solutions
06-28-2018
06:19 AM
You can either generate a self-signed certificate and have it pushed to your workstations as a trusted CA cert via Windows GPOs or if you have a PKI generate a cert for the WSA that will be trusted by your domain.
... View more
Created by
David Niemann
in Web Security
in Web Security
03-24-2018
07:36 AM
03-24-2018
07:36 AM
I would think as long as you follow the same directions for the most recentl version of Windows server it should still work. Using the permissions changes on the DCs shouldn't have changed that much. Keep in mind I believe CDA will be going away in favor of ISE-PIC so you may want to look into that. As of yet I don't think the WSA code supports it yet, but I do believe it's coming. I'm still using CDAs for my transparent authentication, but I have ISE enabled for passive authentication and I can see how WSA will be able to get what it wants from that.
... View more
03-08-2017
04:11 AM
I believe there are GPOs available now for managing Firefox and Chrome in a domain environment.
... View more
01-09-2017
05:45 PM
Can you post some of the logs from the access logs when the site is accessed?
... View more
01-03-2017
08:08 AM
This config actually worked for me. I had an issue with the L2L tunnel the traffic was utilizing causing it to be dropped. Once the L2L tunnel as up it worked as planned.
... View more
Created by
David Niemann
in Application Networking
in Application Networking
11-21-2016
02:10 PM
11-21-2016
02:10 PM
Trying to set up a bidirectional connection that source NATs all rserver initiated connections to the same IP as the inbound VIP. I think I have the config right, but it doesn't seem to work. The IP that should be used for all comms is a VIP of 172.31.0.176 which you will see in the NAT pool. the 172.31.0.178 was created as a VIP for the rservers to send outbound to which will be source NATed to the 172.31.0.176.
rserver host RS_XXX_CORP_SMARTHOST_1 description XXX CORP SMARTHOST FOR EMAIL ip address 5.5.5.5 inservice
serverfarm host SF_EXC2013_SMTP_OUTBOUND description Exchange 2013 SMTP predictor leastconns rserver RS_XXX_CORP_SMARTHOST_1 25 inservice
sticky ip-netmask 255.255.255.255 address source Sticky_SrcIP_EXC2013_SMTP_OUTBOUND serverfarm SF_EXC2013_SMTP_OUTBOUND replicate sticky
class-map match-any VS_EXC2013_SMTP_OUTBOUND description Exchange 2013 SMTP Outbound 2 match virtual-address 172.31.0.178 tcp eq smtp
policy-map type loadbalance first-match EXC2013_SMTP_OUTBOUND class class-default sticky-serverfarm Sticky_SrcIP_EXC2013_SMTP_OUTBOUND
policy-map multi-match Farm_VIPS
class VS_EXC2013_SMTP_OUTBOUND loadbalance vip inservice loadbalance policy EXC2013_SMTP_OUTBOUND loadbalance vip icmp-reply active nat dynamic 6 vlan 511
interface vlan 511 description ACE-DMZ-front bridge-group 1 mac-sticky enable access-group input BPDU access-group input ANYONE nat-pool 6 172.31.0.176 172.31.0.176 netmask 255.255.255.0 pat service-policy input PM_AdminAccess service-policy input Farm_VIPS no shutdown
... View more
- Tags:
- ACE SNAT
Labels:
05-25-2016
12:58 PM
I have a pair of S380 WSAs using WCCP redirect from an ASA. I'm doing http and https proxying. The clients all have the certs of the WSAs to enable the decryption. The WCCP load balancing is done by destination (the default). I have random users throughout the day that experience periods of not being able to load web pages. Any browser is affected and it's very random and doesn't affect all users. I've tried doing captures with TAC and have not been able to find a smoking gun of the root cause. At this point I've even removed one of the WSAs from the WCCP redirect so all users are going through a single WSA and I still hear complaints about it. I have actually seen a similar issue myself once. It's almost like the browser (all browsers) just stall and get stuck on loading. Then after a few minutes the page just all of the sudden fully renders. I'm about fed up with the incessant calls about Internet performance. If I bypass a user via WCCP redirect they have no issues. There are no tell tale issues in the logs. I've opened a few TAC cases, but the issues are so random I can never fully capture it in progress. I'm running WSA 8.0.8 and all proxies are managed by SMA. Anyone have any advice or recommendations? I'm about at the point of moving to AVC and URL blocking on the ASAs directly with Firepower and scrap the WSAs
... View more
- Tags:
- WSA WCCP ASA
Labels:
03-03-2016
12:08 PM
Is it possible to configure an ASA to be used for VPN only in one arm mode? We use to have a VPN 3000 concentrator that worked in one-arm mode. It basically just provided VPN connectivity for users and NATed all their connections prior to be routed back out the same interface. I would assume using some flavor of hair pinning configuration would be required at a minimum.
... View more
- Tags:
- asa nat vpn
Labels:
Created by
David Niemann
in Intrusion Prevention and Detection Systems (IPS - IDS)
in Intrusion Prevention and Detection Systems (IPS - IDS)
01-07-2016
09:08 PM
01-07-2016
09:08 PM
You can configure threat-detection auto shun. Depending on which statistic you use it will auto shun IPs based denies from ACLs, scanning activity or state/TCP misbehaving. We use this on our older ASAs. You can set it to remove the shun after a set amount of time or leave it indefinitely.
... View more
12-24-2015
07:37 AM
I think you use CDA (Context Directory Agent) for this purpose. It gets configured to query domain controllers and creates a cache of User ID to IP mappings which the ASA (and WSA) can query for identity information. I use it for WSA and the problem I've seen is getting the DCs configured per the setup instructions for CDA. Our AD admins had issues with this on 2k8 and 2k12 DCs. Once the DC is configured properly to handle CDA queries, it seems to work pretty well.
... View more
12-24-2015
07:19 AM
I didn't filter it out, it appears that they updated the webroot score.
... View more
12-24-2015
07:16 AM
Under Network->Authentication->Global Authentication Settings do you have "Action if Authentication Service Unavailable" set to Block all traffic if authentication fails?
... View more
12-24-2015
07:05 AM
I didn't get any calls about this but upon examining my logs I was seeing blocks as well until around 7:40AM this morning. Now they are passing. BTW, TAC will tell you that policy trace isn't reliable. The logs are the recommended way to troubleshoot. Apparently the policy trace can produce incorrect results. Don't understand why myself, but I've been told this on several occasions.
Dec 24 07:31:37 <removed> accesslogs_syslog: Info: 1450960297.682 1 <removed> TCP_DENIED/403 0 GET http://www.msftncsi.com/ncsi.txt - NONE/- - BLOCK_WBRS_12-UpdateAgents-Exempt_User_Agents-DefaultGroup-NONE-NONE-NONE <IW_comp,-6.8,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","othermalware","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -
Dec 24 07:43:27 <removed> accesslogs_syslogs: Info: 1450961008.522 14 <removed> TCP_MISS/200 237 GET http://www.msftncsi.com/ncsi.txt - DIRECT/www.msftncsi.com text/plain DEFAULT_CASE_12-UpdateAgents-Exempt_User_Agents-DefaultGroup-NONE-NONE-DefaultGroup <IW_comp,-4.6,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,IW_comp,-,"Unknown","othermalware","Unknown","Unknown","-","-",135.43,0,-,"Unknown","-",-,"-",-,-,"-","-"> -
... View more
06-28-2018
You can either generate a self-signed certificate and have it pushed to
your workstations as a trust...
03-24-2018
I would think as long as you follow the same directions for the most
recentl version of Windows serv...
03-08-2017
I believe there are GPOs available now for managing Firefox and Chrome
in a domain environment.
01-03-2017
This config actually worked for me. I had an issue with the L2L tunnel
the traffic was utilizing cau...
Created by
David Niemann
in Application Networking
11-21-2016
11-21-2016
Trying to set up a bidirectional connection that source NATs all rserver
initiated connections to th...
05-25-2016
I have a pair of S380 WSAs using WCCP redirect from an ASA. I'm doing
http and https proxying. The c...
04-18-2016
No changes other than more hosts showing up on the mac address block..
It's now at 2056. versus 43 u...
04-14-2016
I have this same issue, but I had the Zone already defined as the Inside
arm of my ASA and the netwo...
03-03-2016
Is it possible to configure an ASA to be used for VPN only in one arm
mode? We use to have a VPN 300...
02-20-2016
I figured out how to rehome my licenses on Firesight and then have them
be applied to the 5506X. I f...
02-17-2016
I bought a 5506X with full services, Protection, Control, Malware and
URL filtering. I had opened a ...
Public Statistics
| Date Registered | 01-10-2005 05:38 PM |
| Date Last Visited | 05-03-2019 01:42 AM |
| Total Messages Posted | 216 |
| Total Helpful Votes Received | 34 |
Helpful Votes Given To
.jpg "Hall of Fame Master"){kind=icon}
Helpful Votes From
