CCNP Security (CCIE Sec. written June 2017, one lab attempt so far!), Fire Jumper, Cisco Support Community Hall of Fame and VIP x6. Passionate about solving problems in network security and helping others learn to do the same.
The underlying problem should be addressed. or it will eventually cause the SFP to fail prematurely.
In my experience however that's a very unusual situation for a multimode fiber connection. Usually the transmit power isn't such that it will over-run a receiver.
Can you share the output of "show interface transceiver detail" for the affected interface?
... View more
You cannot mix and match interface modes on an ASA with Firepower service module since a single service-policy governs the traffic redirection.
With FTD the multiple interfaces can be in different modes and there are other options with your policy that can be used as well. But the migration from ASA with Firepower to FTD potentially introduces other issues depending on how the ASA is being used.
... View more
The username is saved in the preferences.xml profile (in C:\Users\<username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client) vs. the connection-specific ones (which are found in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) and will always update to the last-used.
I have the same issue since I work with VARs and have multiple AC profiles with variations on my username to account for each customer's naming convention for accounts.
... View more
You have the extremely old (>10 years) ASDM image version 6.3(4) installed.
It won't support the modern ciphers that are required by any modern browser (even though you have the 3DES-AES license on the ASA).
You either have to get a new ASDM image or use cli to configure.
... View more
Is this the same ASA you posted about before that was wiped clean and then recovered?
Most likely you don't have the free 3DES-AES license on the ASA. Please share the output of "show version | i 3DES". If it show the license is not present then you need to get a license / activation key from software.cisco.com and install it.
... View more
The only way to avoid separate connection profiles and associated group policies would be to have something external like ISE dynamically change the authorization (CoA) - i.e. switch the session to a separate connection profile automatically based on the user's contextual information post-initial login.
It would still use separate connection profiles but you would not have to publish them in the dropdown list and would not have to require users to choose among them.
... View more
Your defined gateway is the ASA inside address. The laptop address is on the same subnet. Just point ASDM to the ASA's address of 10.1.1.1.
It is allowed ASDM access by virtue of the command "http 10.0.0.0 255.0.0.0 inside" which grants access to any address in the 10.0.0.0/8 supernet.
... View more
The Firepower appliances running FTD there is no Active/Active HA per se since that was a construct from ASA software that relied on multiple contexts. Straight HA on FTD uses an Active/Standby scheme.
You can run a 2-unit cluster which is sort of like Active-Active but very few customers bother to do that.
In any case, separate licenses (IPS subscription, URL Filtering and or Malware (AMP)) are required for each physical appliance.
... View more
ASDM should be reachable from any of the subnets specified in the "http x.x.x.x" commands.
You remove those commands by entering configuration mode ("conf t" which is itself entered from enable mode - i.e # in the command line prompt) and using the command "no http x.x.x.x" for each line (substituting the actual addresses for x.x.x.x).
... View more
Actually, if there's a published security advisory you may be eligible to get the patched software free of charge and without having a contract from Cisco.
You should call the TAC and have the security advisory number on hand to cite. They may give you some push back but stick to your rights and cite the language in the PSIRT. For example:
" Cisco has released free software updates that address the vulnerability described in this advisory. "
Source:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
... View more
The ASA 5506 is not yet discontinued. Only new Firepower Threat Defense and Firepower service module 6.3 is not available for them. New ASA software will continue to be made available as will maintenance releases of the 6.2.x Firepower train.
Once the hardware EoX announcement is made it will follow standard Cisco policy for support timelines.
... View more
It's still not supported as of the current FMC/FTD release 6.3
No mention of it was made during the public presentations at Cisco Live Europe last week.
I'd reach out to your Cisco Account Manager if it's an important feature for you or your customers. That raises the priority within Cisco.
... View more
I don't think the old style IPS is included on any of the current certification blueprints. It is past end-of-life.
You shouldn't spend too much time studying it.
That said, the commands you cited should be available. Here is the output from one of my ASAs:
asa-5512(config-pmap)# class-map IPS
asa-5512(config-cmap)# match any
asa-5512(config-cmap)# policy-map global_policy
asa-5512(config-pmap)# class IPS
asa-5512(config-pmap-c)# ?
MPF policy-map class configuration commands:
cluster Specify actions related to clustering
csc Content Security and Control service module
cxsc Send traffic to CXSC blade
exit Exit from MPF class action configuration mode
flow-export Configure filters for NetFlow events
help Help for MPF policy-map class/match submode commands
inspect Protocol inspection services
ips Intrusion prevention services
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
set Set connection values
sfr Send traffic to SFR blade
user-statistics configure user statistics for identity firewall
asa-5512(config-pmap-c)# ips ?
mpf-policy-map-class mode commands/options:
inline Inline mode IPS
promiscuous Promiscuous mode IPS
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
inner-routing-lookup Enable IPsec inner routing lookup
profile Set ipsec profile settings
security-association Set security association parameters
asa-5512(config-pmap-c)# ips inline ?
mpf-policy-map-class mode commands/options:
fail-close Block traffic if IPS card fails
fail-open Permit traffic if IPS card fails
asa-5512(config-pmap-c)#
... View more