About Karsten Iwen

Karsten Iwen · ‎11-21-2018

If you have a problem with that, you really need to be more specific with your problem description.

Karsten Iwen · ‎11-20-2018

Well, if the packets don't make it to the device where you do the access-control, then for sure it will be a problem ...

Karsten Iwen · ‎11-20-2018

Given that you have the "inspect icmp", you only need to allow icmp echo for your solarwinds host on your inside ACL: access-list inside-access-in permit icmp host X.X.X.X any echo

Karsten Iwen · ‎11-16-2018

The hardware of the 2504 is probably powerful enough for your needs. The only challenge that you'll face is that you have to develop your own operating system to run on the 2504 as the Cisco WLC software is not meant to do what you need. If you are a highly talented linux kernel-developer, that task can't be that hard ...

Karsten Iwen · ‎11-15-2018

Which ASA software version are you using? In newer versions, EtherChannels should work for the FO-link. Instead of using a channel, you can also configure the redundant interfaces for this link: https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/interface-echannel.html#ID-2077-000000af

Karsten Iwen · ‎11-08-2018

Your capture shows that there is a connection on port tcp/22. So it is most likely not the network, but a misconfiguration between SSH-server and Client. Configure the firewall to only use ssh version 2 and tell your client to use SSH version 2. Also make sure that both client and server have public/private key pairs: https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

Karsten Iwen · ‎11-08-2018

Because the PLUS license is "per user", you can activate the license on all your ASAs. There is also a VPN-ONLY license that is licensed for a single unit and concurrent users. But I would assume that this will be more expensive.

Karsten Iwen · ‎11-07-2018

You only need to buy the licenses once as the licenses are combined on the ASA. And with the user-based licensing you don't care about the amount of ASAs, you just license the ASA. In your case I would ask my preferred reseller for AnyConnect PLUS for 250 Users with a subscription of 5 years.

Karsten Iwen · ‎11-02-2018

It is much easier: Go to your https-FQDN with Firefox, click on the certificate icon and in the details of the certificate view you can export the certificate. This way you also make sure that you don't accidentally export the private key of your certificate.

Karsten Iwen · ‎10-30-2018

Well, I assume that this is a discussion that should better be done with someone from ASA product management.

Karsten Iwen · ‎10-30-2018

I just see that the newly released ASA version 9.10 nor supports DTLS 1.2, but not on the 5506. Did you refer to that and not the general availability? Perhaps it's really caused by limited resources when some CPU/RAM is permanently reserved for a security-module. But I hope that Cisco will later also implement it for the 5506.

Karsten Iwen · ‎10-29-2018

A typical reason for this behavior is when the secondary unit has less functional interfaces compared to the primary unit. Have you checked that both units are equally healthy?

Karsten Iwen · ‎10-28-2018

That is a question to ask your local Cisco SE. And it's probably not related to ASA resources, more likely is that it's not deemed important enough at Cisco (sadly, I also hope for DTLS 1.2).

Karsten Iwen · ‎10-28-2018

Have you also removed the old config pointing to dialer0? That also has to be done to make it work. And the NAT-command has to use the IP-interface: ip nat inside source list 101 interface Vlan4 overload

Karsten Iwen · ‎10-19-2018

After reading it again (and again), yes, you could be right but I'm not sure. My understanding of the term "associate-level exam" in the context of recertification was that it has to be an exam that gives you the Associate-level certification. And that is not achieved with 210-250. Hopefully, someone else can shed some more light on this specific one.

Date Registered	‎12-21-2006 02:52 PM
Date Last Visited	‎11-21-2018 12:19 AM
Total Messages Posted	5,661
Total Helpful Votes Received	3684

Re: Anyconnect split tunnel can't ping ...

Re: Allow ICMP through Cisco ASA

Re: Allow ICMP through Cisco ASA

Re: WLAN 2504 as a router

Re: Cisco ASA Failover Link Redundancy

Re: I can't access ASA SSH behind a rou...

Re: AnyConnect License

Re: AnyConnect License

Re: ASA 9.8 How to export self-signed c...

Re: DTLS 1.2 & 5506

Re: DTLS 1.2 & 5506

Re: ASA Act/Stby Failover question

Re: DTLS 1.2 & 5506

Re: NAT on the ISR 886VA via FastEthern...

Re: CCNA Recertify