About Karsten Iwen

Karsten Iwen · ‎10-18-2019

Unless something changed recently, SSLVPN is not supported on the ISR4k. AnyConnect with IPsec is supported.

Karsten Iwen · ‎10-18-2019

If you want to use AnyConnect remote-access-VPN then you can use either. With the ASA software there are more features for VPN available, but with FTD you get Next-Gen Firewalling. If you want to use WebVPN (through the clienteles portal), then you have to use the ASA as that is not supported on FTD. For FTD you don't need FMC, but again, there are more features available compared to FTD managed through FDM.

Karsten Iwen · ‎10-18-2019

I never ran into this situation. But the licenses that you fulfill in the classic license portal are not known to smart licensing that you need. Try to select the license and convert it to smart licensing. Edit: And when you have strong encryption enabled, don't use 3DES any more. Use AES instead.

Karsten Iwen · ‎10-07-2019

Probably only Cisco could find out what will happen in this case. If it is just the ACL operation that fails I would assume that it fails to the security levels. And that could either be close or open.

Karsten Iwen · ‎10-02-2019

If a device fails, then it often could fail to anything. If you assume the whole box fails, then it fails close. But your question implies a software-failure. Here it also could fail to open. But IMO at least this kind of bug did not show up in the last 20 years for this platform.

Karsten Iwen · ‎10-02-2019

My interpretation is the following: Cisco will still support the boxes if they fail. But due to due diligence you should not operate them any longer as they could have severe vulnerabilities.

Karsten Iwen · ‎09-30-2019

Also have a look at this presentation: https://www.youtube.com/watch?v=3RAyHNN_49Q

Karsten Iwen · ‎09-25-2019

Another scenario is that you have a DMZ with a public IP network because the server in this DMZ needs communication to the internet without NAT. If this DMZ is accessed through the VPN, you have public IPs in your encryption domain. But more likely, whenever accessing a public service through VPNs, the public IPs make sure there is no overlap with your own addresses.

Karsten Iwen · ‎09-23-2019

As already mentioned, AnyConnect connections with IKEv2 are supported. I went through the configuration some time ago and the way it is configured is completely different from the config on the ASA. There are config guides available, I think with a search for "FlexVPN Server" you should find the relevant guides. For my implementation, after being ready with that, I repented to not have just placed another small ASA parallel to the router which had been much easier. Next time I will do it that way.

Karsten Iwen · ‎09-18-2019

I think the easiest option is still missing from the recommendations: Just configure a Port-ACL and attach it to the switchport pointing to that device. It could look like the following: ip access-list extended UNTRUSTED-DEVICE deny tcp any any eq 22 ! or if only SSH to the local switch-IP 10.10.10.10 ! should be denied: deny tcp any host 10.10.10.10 eq 22 permit ip any any ! interface gig 0/23 ip access-group UNTRUSTED-DEVICE in

Karsten Iwen · ‎09-18-2019

In ASDM you go to Certificate Management and add a new trustpoint. There you upload the PFX, specify the PFX-password and the certificate gets imported. The standby ASA will directly receive this new certificate from the active one.

Karsten Iwen · ‎09-13-2019

You are welcome!

Karsten Iwen · ‎09-13-2019

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

Karsten Iwen · ‎09-13-2019

here is a starting point: https://community.cisco.com/t5/networking-documents/how-to-upgrade-or-downgrade-the-ios-on-an-isr-or-similar-router/ta-p/3111919

Karsten Iwen · ‎09-13-2019

You can configure a redundant interface on the ASA and add one member-interface connecting to SW1 and one member-interface connecting to SW2. The redundant interface also can have sub interfaces for all your needed VLANs. But as ASA and the Switch don't share any information which switch is HSRP-active, you could have a non-optimal traffic flow.

Karsten Iwen · 10-18-2019

Unless something changed recently, SSLVPN is not supported on the ISR4k. AnyConnect with IPsec is su...

Karsten Iwen · 10-18-2019

If you want to use AnyConnect remote-access-VPN then you can use either. With the ASA software there...

Karsten Iwen · 10-18-2019

I never ran into this situation. But the licenses that you fulfill in the classic license portal are...

Karsten Iwen · 10-07-2019

Probably only Cisco could find out what will happen in this case. If it is just the ACL operation th...

Karsten Iwen · 10-02-2019

If a device fails, then it often could fail to anything. If you assume the whole box fails, then it ...

Karsten Iwen · 10-02-2019

My interpretation is the following: Cisco will still support the boxes if they fail. But due to due ...

Karsten Iwen · 09-30-2019

Also have a look at this presentation: https://www.youtube.com/watch?v=3RAyHNN_49Q

Karsten Iwen · 09-25-2019

Another scenario is that you have a DMZ with a public IP network because the server in this DMZ need...

Karsten Iwen · 09-23-2019

As already mentioned, AnyConnect connections with IKEv2 are supported. I went through the configurat...

Karsten Iwen · 09-18-2019

I think the easiest option is still missing from the recommendations: Just configure a Port-ACL and ...

Karsten Iwen · 09-18-2019

In ASDM you go to Certificate Management and add a new trustpoint. There you upload the PFX, specify...

Karsten Iwen · 09-13-2019

You are welcome!

Karsten Iwen · 09-13-2019

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ign...

Karsten Iwen · 09-13-2019

here is a starting point: https://community.cisco.com/t5/networking-documents/how-to-upgrade-or-down...

Karsten Iwen · 09-13-2019

You can configure a redundant interface on the ASA and add one member-interface connecting to SW1 an...

Date Registered	‎12-21-2006 02:52 PM
Date Last Visited	‎10-18-2019 04:03 AM
Total Messages Posted	5,868
Total Helpful Votes Received	4219

Re: SSL or IPSEC

Re: ASA or Firepower for ssl vpn

Re: Activate 3DES on Firepower Threat D...

Re: What if ASA filtering/ACLs fail?

Re: What if ASA filtering/ACLs fail?

Re: EoL of Life for switch 3750X

Re: WiFi only Deployment

Re: public IPs in lan to lan VPN encryp...

Re: Ios ssl Anyconnect vpn

Re: How to disable SSH into the port

Re: Certificate install on ASA

Re: 2 distribution switches to 1 ASA

Re: 2 distribution switches to 1 ASA

Re: how to enable securityk9_npe

Re: 2 distribution switches to 1 ASA

Re: SSL or IPSEC

Re: ASA or Firepower for ssl vpn

Re: Activate 3DES on Firepower Threat Defense

Re: What if ASA filtering/ACLs fail?

Re: What if ASA filtering/ACLs fail?

Re: EoL of Life for switch 3750X

Re: WiFi only Deployment

Re: public IPs in lan to lan VPN encryption domain

Re: Ios ssl Anyconnect vpn

Re: How to disable SSH into the port

Re: Certificate install on ASA

Re: 2 distribution switches to 1 ASA

Re: 2 distribution switches to 1 ASA

Re: how to enable securityk9_npe

Re: 2 distribution switches to 1 ASA