Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Marvin Rhoads
Marvin Rhoads
Member since
06-28-2001
.jpg){kind=icon}
Hall of Fame Master
CCNP Security (CCIE Sec. written June 2017, one lab attempt so far!), Fire Jumper, Cisco Support Community Hall of Fame and VIP x6. Passionate about solving problems in network security and helping others learn to do the same.
15770
Posts
14558
Helpful
2961
Solutions
Recent Badges
Awards
06-17-2019
07:53 AM
First hit if you google FTD Migration tool:
https://www.cisco.com/c/en/us/products/security/firewalls/firepower-migration-tool.html
It has a link to download, a demo video and a step-by-step guide. The guide answers your questions about prerequisites and requirements, including confirmation that an FMC is required.
As a free and unlicensed product it does not include TAC support per se. However if you have problems with the migrated configuration, you can open a TAC case associated with the target device or the FMC.
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
06-17-2019
05:11 AM
06-17-2019
05:11 AM
That's odd.
Try this:
- change (or confirm) your ASDM preference to preview cli commands before sending
- deselect the box and apply, check the command is sent with "no" prepended
- reselect it and apply, check the command is sent.
Let us know the outcome.
... View more
06-16-2019
11:09 PM
It gives no options. :/
SSL decryption is the killer. Cisco (nor most others) won't commit to (or recommend) trying to do SSL decryption at full line rate for that high of throughput.
That said, they have tweaked SSL decryption performance for some of the more recent releases (introduced in hardware as of 6.2.3 and on by default in 6.3 and 6.4) and the tool might not yet reflect that.
I'd check directly with your Cisco SE if high throughput SSL decryption is important to you. Other security options (WSA, Umbrella, ETA etc.) may be more architecturally appropriate to address the underlying security need.
... View more
Created by
Marvin Rhoads
in VPN and AnyConnect
Marvin Rhoads
in VPN and AnyConnect
06-16-2019
08:03 PM
06-16-2019
08:03 PM
It sounds like your issue is more with your RADIUS server than it is with Firepower. When you say "NPS rule" are you talking about Microsoft Network Policy Server?
If Cisco ISE were your RADIUS server, it can generally discriminate on username, OU membership, connection profile etc. to determine what authorization result to return.
... View more
06-16-2019
07:51 PM
Cisco recommends we use this tool for FTD/NGFW:
https://ngfwpe.cisco.com
The output is not as verbose; but they have consistently declined to make a more comprehensive tool available - even to partners.
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
06-16-2019
07:47 PM
06-16-2019
07:47 PM
Are you connecting as admin or other user with level 15 authorization privilege?
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
06-16-2019
07:33 PM
06-16-2019
07:33 PM
@KylePericak9919 wrote:
...
Is there any way short of manually blocking traffic to each higher-level network, then allowing any any, to resolve this?
That's the recommended solution.
Typically, where the internal networks are RFC 1918, you can just do the single allow and then a couple of lines do deny the three RFC 1918 supernets (or one line of you define a network object group for 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and then a final "allow any any".
... View more
Created by
Marvin Rhoads
in VPN and AnyConnect
Marvin Rhoads
in VPN and AnyConnect
06-15-2019
07:24 AM
06-15-2019
07:24 AM
I'm not quite sure if you want to:
a. use multiple RADIUS servers (which you can do from FMC and then select them as appropriate for a given remote access VPN policy) or
b. something else.
Can you explain a bit further?
... View more
Created by
Marvin Rhoads
in VPN and AnyConnect
Marvin Rhoads
in VPN and AnyConnect
06-14-2019
10:59 PM
06-14-2019
10:59 PM
Why use split tunnel if you want all traffic to go over VPN?
Does your upstream "ISP" know to route traffic to your VPN pool (10.10.5.0/24) back via the ASA outside interface?
... View more
06-14-2019
08:07 PM
Now that you've added the port 3389 (rdp) your use case changes. You want a static port forwarding NAT rule:
nat (inside,outside) static (interface or mapped IP address) service tcp 3889 3889
See https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc10
... View more
Created by
Marvin Rhoads
in VPN and AnyConnect
Marvin Rhoads
in VPN and AnyConnect
06-14-2019
05:30 AM
06-14-2019
05:30 AM
The images are checked in order for a match with the client OS. After the first match, the check stops. Since you have not removed the reference for the older version, that one continues to be used.
You can safely remove the reference to 4.6 (be sure to make sure the new image is present on disk and, if you have an HA pair, also on the standby unit's disk - they don't replicate).
conf t
webvpn
no anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg end wr mem
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
06-13-2019
09:04 PM
06-13-2019
09:04 PM
You're welcome. Thanks for rating.
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
06-13-2019
08:04 PM
06-13-2019
08:04 PM
Cisco Secure ACS is past end of sales but there are still some good resources available online. See this Labminutes series for example:
http://www.labminutes.com/video/sec/ACS
Cisco Prime Infrastructure has some free training (PDF job aids and videos) that Cisco created at the following location:
https://www.cisco.com/c/m/en_us/training-events/product-training/prime-training-infrastructure.html#tab=tab-1-content
Labminutes also has Prime Infrastructure videos:
http://www.labminutes.com/video/rs/Prime%20Infrastructure.
... View more
06-13-2019
07:57 PM
That would not be a recommended configuration since you need to use dynamic (PAT) rather than static NAT when mapping many-to-one.
... View more
Created by
Marvin Rhoads
in Security Analytics and Management
Marvin Rhoads
in Security Analytics and Management
06-13-2019
08:08 AM
06-13-2019
08:08 AM
Stealthwatch is not a performance analytics tool. It would not be the right solution for the problem you describe. It analyzes Netflow data and, as such, wouldn't have insight into the interactions of tiers in a 3-tier system like you describe.
I don't think there's anything in the Cisco portfolio well-suited to solving this problem. You're probably better off looking at other vendors who specialize in performance monitoring.
... View more
Created by
Marvin Rhoads
in Cisco Live Event Blogs
02-17-2019 06:35 AM
02-17-2019 06:35 AM
Thanks for hosting a lovely dinner Monica and Denise. It was great to
meet so many fellow VIPs and s...
Created by
Marvin Rhoads
in Cisco Cafe Blogs
01-18-2019 06:47 PM
01-18-2019 06:47 PM
My most sincere congratulations. Welcome Peter to the Hall of Fame.
Created by
Marvin Rhoads
in Security Blogs
09-08-2018 11:32 PM
09-08-2018 11:32 PM
@Arne Bier the 2.4 Patch 3 release notes don't mention fixing that bug.
https://www.cisco.com/c/en/u...
Created by
Marvin Rhoads
in Security Blogs
09-06-2018 10:23 AM
09-06-2018 10:23 AM
@iseman-18 it's a bit too soon to tell after only 24 hours or so. I can
confirm that it installed fi...
Created by
Marvin Rhoads
in Security Blogs
08-30-2018 10:44 PM
08-30-2018 10:44 PM
Patch installation should not require a hotfix rollback. Generally the
Patch should include hotfixes...
Created by
Marvin Rhoads
in Security Blogs
08-30-2018 09:19 PM
08-30-2018 09:19 PM
I applied the Struts v2 hotfix and it works fine. Unless you really need
that fix, I'd wait until it...
Created by
Marvin Rhoads
in Security Blogs
08-03-2018 09:50 PM
08-03-2018 09:50 PM
Thanks for the update Hsing-Tsu - I see the new file is posted. I think
I'll wait a week or so to tr...
Created by
Marvin Rhoads
in Security Blogs
08-02-2018 01:27 AM
08-02-2018 01:27 AM
@Istvan Matyasovszki Friday 3 August is the latest projection. It could
be late in the day San Jose ...
Created by
Marvin Rhoads
in Security Blogs
07-31-2018 05:54 AM
07-31-2018 05:54 AM
@Istvan Matyasovszki I've been told to expect it in the coming few days.
I'm sure Cisco will want to...
Created by
Marvin Rhoads
in Security Blogs
07-29-2018 08:00 PM
07-29-2018 08:00 PM
CSCvk57963 was filed as a result of a case I was working with TAC.
Basically the installation fails ...
Created by
Marvin Rhoads
in Cisco Cafe Blogs
01-27-2018 07:47 PM
01-27-2018 07:47 PM
Thank you Monica and the rest of the Cisco Support Community Team. We
appreciate your continued supp...
Created by
Marvin Rhoads
in Cisco Cafe Blogs
09-19-2017 06:21 PM
09-19-2017 06:21 PM
@andrew333. Thank you.
Created by
Marvin Rhoads
in Cisco Cafe Blogs
09-16-2017 05:24 AM
09-16-2017 05:24 AM
@Mark Malone, Thanks Mark.
09-12-2017 08:35 AM
@Becky Scott, Yes - I would expect it to spell check incrementally just
as it does in most other web...
Public Statistics
| Date Registered | 06-28-2001 03:55 PM |
| Date Last Visited | 06-16-2019 11:36 PM |
| Total Messages Posted | 15,770 |
| Total Helpful Votes Received | 14558 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 5 | |
| 20 | |
| 20 | |
| 5 | |
| 10 |
.jpg "VIP Advisor"){kind=icon}
Helpful Votes From
| User | Helpful Count |
|---|---|
| 10 | |
| 10 | |
| 10 | |
| 30 | |
| 50 |
Awards
Hall of Fame
Cisco Designated VIPs
2018 FirePOWER Firewalling VPN
Cisco Designated VIPs
2017 Firewalling Network Management VPN
Cisco Designated VIPs
2016 Firewalling Network Management VPN
Cisco Designated VIPs
2015 Security
Cisco Designated VIPs
2014 Network Management Security
Cisco Designated VIPs
2013 Network Management Security
Cisco Designated VIPs
2019 Firewalls, Firepower, Security
