Cisco ASA 5506-X: Bridged BVI Interface
KB ID 0001422 Problem When the ASA 5506-X appeared there was much grumbling, “This is not a replacement for the ASA 5505, I need to buy a switch as well!” and “I have six ports on the firewall I cant use” etc. While I understand that, and if truth be told the ASA 5505, was SUPPOSED to be used in SOHO environments where an all in one device, (with PoE) was a great fit. The problem was, people started throwing...
Cisco ASA: ‘Received an un-encrypted INVALID_COOKIE notify message, dropping’
KB ID 0001421 Problem Saw this in a forum today, and knew what it was straight away! While attempting to get a VPN tunnel up from a Cisco ASA (5508-x) to a Sonicwall firewall this was there debug output; Apr 06 00:45:21 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf Lan, IKE Peer x.x.x.x local Proxy Address 192.168.90.150, remote Proxy Address 10.252.1.1, Crypto map (Internet_map) Apr 06 00:45:21 [IKEv1 DEBUG]IP = x.x.x.x,...
Cisco WLC: EAP-TLS Secured Wireless with Certificate Services
KB ID 0001420 Problem Ah certificates! If I had a pound for every time I’ve heard “I don’t like certificates”, I could retire! The following run through is broken down into the following parts; Setup the Cisco WLC (WLAN) Setup NAP (RADIUS). Setup Certificate Auto Enrolment. Setup Group Policy to Deliver the Wireless Settings. Note: If you are scared of certificates, sometimes it’s easier to setup password...
Cisco ASA: Updating and Copying files from USB
KB ID 0001377 Problem Cisco ASA firewalls have had USB sockets on them for a while, but a dig into the documentation only yielded, ‘for use in future releases’. Well they are working now! Note: Firewall shown is a 5516-X (running version 9.8(1)) Solution Your drive needs to be formatted as FAT (not NTFS), I’m going to update/install some AnyConnect client software, but there’s nothing to stop you uploading a...
Cisco ASA EZVPN (Revisited)
KB ID 0001261 Problem EZVPN is a technology that lets you form an ISAKMP/IPSEC VPN tunnel from a site with a dynamically assigned IP (EZVPN Client,) back to a device with a static IP (EZVPN Server). I’ve called this EZVPN revisited, because this is a technology I’ve talked about before. So why am I here again? Well back then I used the ASDM. If you do that now, you need to go in and mess about with things to get it to work...
ASA5505 – ‘This Licence Does Not Allow Configuring Of More Than 2 Interfaces’
KB ID 0001367 Problem When attempting to bring up a ‘3rd VLAN’ on an ASA 5505 firewall you see an error like this; Petes-ASA# configure terminal Petes-ASA(config)# int vlan 3 Petes-ASA(config-if)# nameif DMZ ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a “no forward” command on this interface or on 1 interface(s) with nameif already configured....
Cisco ASA 8.2 Upgrade to 8.3
KB ID 0001366 Problem I can’t believe I’m writing this, it’s been so long since 8.3 was released (7 Years!) And still there’s firewalls out there running old code? Why is the 8.3 upgrade important? This update made some very major changes to the way we did NAT, and also the way we wrote ACL’s. It was a big change. I remember keeping my client firewalls on 8.2 for a while until I fully understood the...
Meraki Block Page http://wired.meraki.com:8090 ‘Not Found’
KB ID 0001365 Problem If you have a Meraki Security device and have enabled ‘Content Filtering’, instead of a nice ‘block-page’ informing you why you are being blocked you may see this; http://wired.meraki.com:8090 This is happening because your Corporate DNS is resolving ‘wired.meraki.com’ to 54.241.7.184, which you can also see if you look at the URL you are trying to connect to it on port 8090. A...
Cisco FirePOWER (On-Box / ASDM) Change the Time Zone
KB ID 0001363 Problem At first this was just a bug, now it’s annoying, I don’t know why Cisco have not got round to fixing this, it’s still a problem in the latest (6.2.2 at time of writing,) version. Solution Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Manually > Save Policy and Exit. Deploy > Deploy FirePOWER Changes > Deploy. To View...
Cisco ASA: Prioritise RDP Traffic
KB ID 0001359 Problem I have a client who had two sites, one didn’t have a particularly good internet connection, (which is the actual problem that needed to be solved). But in the interim, he wanted me to prioritise RDP traffic, as his staff were constantly complaining about the speed of their connections. Note: They may be a myriad of reasons why user experience is bad for an RDP session, this was quite simply a bandwidth...