We have a vpn tunnel from our Amazon AWS footprint to our ASA 5500 which currently sends traffic from our AWS servers in 10.200.12.0/24 to our on premise network, there's also a 172.27.1.0/24 in the ACLs and crypto maps which works but is no longer used.
I am trying to add a new range, 172.31.1.0/24 which is a partner network out a different tunnel (terminating at another CI) and is distributed through the network via OSPF. This works fine on-premise, our production on-premise LAN can see this great, but the ASA is dropping traffic bound for 172.31.1.0/24 at this end (v the AWS end) of the tunnel, the behaviour looks similar to when crypto ACLs don't match between VPN devices.
Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
I'd normally expect to see this if ACLs don't match, but the crypto map shows the new range correctly. Also the AWS side has correct ACL rules that allow this and correct routes (otherwise the traffic wouldn't enter the tunnel right?)
Attackers will always target the "low hanging fruit": devices that have passed end-of-software maintenance and end-of-support. A few years ago, Cisco described the evolution of attacks against infrastructure devices. All of the attacks discussed in t...
I somehow stumbled upon Cisco's IBNS 2.0 Auto Identity (AI) templates in my CML/VIRL IOSv layer2 image (IOS 15.2(6)).
I find these templates great, because these are the best practices that we tend to hard-code manually - e.g there are...
Hello. Thanks in advance for any input. I have just spun up a Cisco ISE lab and having some issues with the certificates. I created a self-signed certificate to be used with EAP and admin. DNS name of ise1.example.local points to the ...
Adversarial Tactics and TechniquesA Call to Action
Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. Cisco ISE supports posturing of endpoints with different ...
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...