Firewalling – InfraWorld

Cisco Firepower Chassis Manager Radius Configuration

January 20, 2017 Rob Rademakers Leave a comment

There are many configuration guides on the Cisco website with details about configuring RADIUS and TACACS+ on a Cisco Firepower Chassis Manager. See this link for the configuration guide for 2.0(1).
In this document, you can read the following comment:

Remote User Role Policy

Controls what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information:

Assign Default Role—The user is allowed to log in with a read-only user role.
No-Login—The user is not allowed to log in to the system, even if the username and password are correct.

But… it’s very hard to find what attributes are needed to assign a user the administrator role.
Read more

Cisco ACI & Microsoft Hyper-V & L4 – L7 integration

March 9, 2016 Rob Rademakers 2 comments

There are options to integrate L4 – L7 devices, like firewalls or load balancers (Cisco ASA, F5, Citrix Netscaler, etc), into Cisco ACI. These integrations can be done in a managed mode, with a device package, or unmanaged mode. Both modes are available if you are using Cisco ACI with VMware vCenter integration.
When you are using Cisco ACI with Microsoft Hyper-V, you cannot integrate any L4 – L7 device yet (Q1 2016). The options to integrate these devices are not available if you select an SCVMM domain.
More to come..
My thought
Cisco ACI is a great product, which I’ve implement at some customers already. I’ve seen the product grow in the last year from something “not production ready” to an stable product which can be used in production environments. But like all new products, there are still some limitations around which can be a struggle during implementations. The VMware integration into ACI is done and complete, the Hyper-V implementation is still pretty new and some features are missing. I’m sure that the Hyper-V implementation will be more complete in the next major ACI release, but at this point in time you need to know about the limitations which are still around.

Workaround: BUG in ASA IOS 8.4(4) and 8.4(5) adding network-object-nat

January 24, 2013 Rob Rademakers 6 comments

When upgrading from prior IOS 8.4 to 8.4(4) and 8.4(5), the configuration will be converted for the new IOS without any problems. But when you’re creating a new Network Object NAT rule, you’ll get a nasty error:

ERROR: NAT Policy is not downloaded

There’s no solution for this error at this point (january 2013), Cisco TAC mentioned me that the development team is still working on this issue but it’s hard for them to reproduce this error in their lab.
But.. there is a workaround available!
Read more

Cisco ASA

Cisco ASA back-up internet connection with site to site VPN

January 15, 2013 Rob Rademakers One comment

Some time ago a customer wanted an back-up solution on one of their offices for internet and VPN connection towards the datacentre. On both location they use Cisco ASA 5505 firewalls.
Configuration needed on the Office Firewall
Read more

Cisco ASA