MAC OSX – Connecting to Cisco IPSEC VPN
KB ID 0001197 Problem Here we are dealing with the older IPSEC VPN method of remote VPNs, NOT AnyConnect. There is/was a VPN client for Mac OSX which you can still download. But modern versions of OSX have the Cisco IPSec VPN client built into them. I’m assuming you have already configured the firewall, if not see the article below; Cisco ASA5500 Client IPSEC VPN Access Solution Open your network preferences and add in a new...
Cisco ASA – Converting IKEv1 VPN Tunnels to IKEv2
KB ID 0001196 Problem We’ve had IKEv2 support on Cisco ASA for a while, (since version 8.4). I tend to setup site to site VPN tunnels at command line, and on the rare occasions I’m using the ASDM I normally just ignore the IKEv2 settings. Like all techies I know a way that works, so I will keep doing it that way. What’s the difference between IKEv1 and IKEv2? IKE version 2 is a lot more efficient and has a smaller...
Cisco Add FirePOWER Module to FirePOWER Management Center
KB ID 0001178 Problem If you only have one FirePOWER service module you can now manage it from the ASDM; ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM) But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center). WARNING: If you are going to use FMC DON’T register your licences in the ASDM, they all need to be registered in the FMC. ...
Cisco – Testing AAA Authentication (Cisco ASA and IOS)
KB ID 0001175 Problem I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step! Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well. Solution Cisco ASA Test AAA Authentication From...
Cisco FirePOWER SFR Module Cannot Ping
KB ID 0001174 Problem On a newly deployed FirePOWER service module I wanted to test connectivity and attempted to ping a public IP address. This is what happened; > expert admin@Petes-SFR:~$ ping 8.8.8.8 ping: icmp open socket: Operation not permitted My first though was, “Well you have to set a default gateway on the SFR when you set it up, so the firewall is probably blocking ICMP”. So I checked the default policy...
Cisco Firepower Services – Change IP and DNS Addresses
KB ID 0001173 Problem If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it? Solution Change the FirePOWER Module IP Address Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check). Petes-ASA#...
Re-Image and Update the Cisco FirePOWER Services Module
KB ID 0001164 Problem This takes ages! Seriously, if it’s late in the afternoon you might want to do this tomorrow morning, or leave the re-imaging running overnight. (Remember if you set the FirePOWER module to ‘fail-closed’, you will lose internet access, so you might want to change that to ‘fail-open’ as well). The process is a LOT EASIER to do in the ASDM, I’m not usually an advocate of the GUI,...
Cisco FirePOWER – Update Fails ‘Peer Registration Failed: Registration in Progress’
KB ID 0001162 Problem If you attempt to perform an update on the FirePOWER services module in your firewall, you may see the following error; Error Installation Failed: Peer registration in progress. Please retry in a few moments I found myself in this situation because I’d attempted to register the firewall in the FirePOWER Management Center Appliance, and the process failed, (because the versions were different). So when I...
ASA Setup FirePOWER Services (for ASDM)
KB ID 0001107 Problem Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance. Related Articles, References, Credits, or External Links *UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed...
FMC – AMP Malware Inspection
KB ID 0001159 Problem If you take a look in your SourceFire dashboard, and there is no data shown on the malware threat section like so; Solution The message is pretty descriptive, and it’s telling you exactly what you need to do. Now I’m making the assumption that you have added a valid AMP / Malware licence like so; Policies > Access Control > Edit your access control policy > Then Edit the file policy. Add in...