Messages

Yeah as above. If you're a MS based stack (365, Azure, SP, Intune etc) then Defender with Advanced Threat Protection.

Hi KDog,
where does it state that firepower will no longer function on the 5506? I have a planned upgrade for this and didnt see such info 

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_59003

Scroll down to "ASA and ASA FirePOWER Module Compatibility" it clearly shows the max FP version is 6.2.3 for the 5506X and any ASA firmware above 9.9(x) isn't compatible.

Release notes:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html

"No support in 9.10(1) and later for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. "

I think it's against Australian consumer law for Cisco to do such things.

9.9(x) is still supported, so I'm not sure what laws they are breaking, if any. 9.9 (2) 85 is available and at current patch level for the latest vulnerabilities.

Haven't found this specific issue but is it a compatibility issue with the level of hardware/firmware combination?

For instance you can't update ASA-5506X above ASA9.9(x) if you want FirePower services to function.

I'm guessing that if the cypher's have changed then you would need to build a new cryptomap, or make sure old cypher's aren't enabled.

lol,
Which firmware ver? Just checked a few ASA5506x here and they are fine.

Open the keyfile with Notepad++
Check for spaces and or carriage returns which shouldn't be there, delete any.
Usually they are before/after the ---- BEGIN SSH2 PUBLIC KEY ---- and ---- END SSH2 PUBLIC KEY ---- tags.
The public key file should just have begin tag, comment with key type, key, end tag.
Probably not an issue in your case, but it is a quick/easy check to do.

I've only ever done this for Win clients (using putty) going to Linux servers so haven't had any issues, not sure how the windows server would handle the key files nor I have I tried with WinSCP.

Yep, copy what the others have written above. I'm going to add my own thoughts which you can apply/disregard as you see fit.

1. Use VLANs to separate via logical function, don't use VLANS because of physical floors. Unless your floors are divided into personal functions ie floor 1 is storeroom staff, floor 2 accounting, floor 3 legal etc.
2. Have a VLAN for servers, VLAN for desktops, VLAN for storage, VLAN for authentication servers, VLAN for printers/scanners, VLAN for management etc.
3. Are your Web servers internal only ie intranet, or will they be exposed to the public internet? If exposed then they should be in a DMZ and the sites should be pentested for security. The operating system should be hardened using CIS guides, Root accounts disabled, restricted SSH etc.
4. IDS, IPS are sometimes useful, the other tools such as SIEM/syslog are there so you can analyze an event after it has occurred. Honeypots are only useful if an adversary falls for it and you regularly check it. A solid network design with least privilege and restricted access is the best help.
5. Use a good email spam filter in front of your mail (whether gmail or O365), mimecast and proofpoint are both good but there are many others.
6. Heavily consider using an application whitelisting solution to protect all of your servers and desktops. If malware isn't allowed to run it can't do any damage. It is far superior to any antivirus. Airlock Digital and Threatlocker are two very good solutions.
7. A good vulnerability scanner or siem is a must. I can recommend Tenable as a good scanning solution to monitor your patching. You should also have a good automated patching solution in place, the scanner is then there to confirm it is working as intended.
8. Delete old software that just isn't needed and represents a security risk ie you most likely don't require flash, java etc.
9. Robust security policies and change control management.

There is an absolute mountain of basic stuff you (and everyone else) should be doing, but there is no way to cover it all in a single forum.

Enterprise I use LAPS for Windows desktops. Stores the creds in AD so you can look them up when required. Other passwords are stored in a self hosted (on the clients site) Bitwarden.

For my home computer I have a text file which is stored in an encrypted container opened with Veracrypt (it is cross platform). Occasionally I use ecryptfs as at home I'm 100% Linux.

I'm guessing no warranty?

Do you know a good electronics technician, or are friendly with the engineering dept at a local university? The inverter could be removed, repaired and returned to service cheaper/quicker than buying a new inverter/ UPS.

I would guess that the input protection (it would be a mediocre design at best) has failed, along with some of the power handling FET's/IGBTs.

I saw that tool and immediately thought, "Say, while (X) is down, we can utilize this outage to upgrade (Y) and (Z)..."

In a previous role I may or may not have engineered some unscheduled downtime so that I could do exactly that...

Congrats,
Having put a product through EAL2, it is not a small amount of work.

I solved the issue by getting the creds for the router and changing it's crazy setup so that I only need a single subnets per interface on the ASA. lol

Ah, thanks for that, I didn't think of creating a fake VLAN for the subinterface to add to the BVI.

Will give it a try and see how it goes. Will have to get the sec-plus license added though for the final config as I also only have the base license.

I've only played with 5505s, so the interface setup on the ASA5506 is confusing me and the more I think about it the stupider I become.
I'm sure this is simple and I'm missing something.

I want to have trunks containing the same IP subnets/VLANs on more than one physical interface:
VLAN100 - subnet 10.10.100.254/24
VLAN200 - subnet 10.10.200.254/24
VLAN300 - subnet 10.10.300.254/24

gigabit ethernet 1/1 - outside
gigabit ethernet 1/2 - Trunk  VLAN/subnet .100 .200 .300
gigabit ethernet 1/3 - Trunk VLAN/Subnet .100 .200

I can get it functioning fine for just one physical interface, but not for more than one.
I've tried doing it using BVI and by just using subinterfaces for subnets. If I try to put a VLAN on more than one physical interface it errors telling stating VLAN is already in use. With BVI I can't assign VLANs, but interestingly if create a VLAN for any interface the BVI become listed as having the native VLAN.
Can I add the subnets as sub interfaces and ignore the VLANs?

The trunk ports will connect to a Cisco router already configured as trunk with VLAN / subnets.

Any help greatly appreciated!

Probably resolved by now, but your second switch is missing the VLAN30 config. Plus it is the native.

Solved:  Did you turn it off and on again? Rebooted the N4032 and everything is fine (apart from the whole business not having network/internet etc during reboot).

#Bettertoseekforgivenessthanaskpermission #whoneedschangemanagement