Cisco ASA preshared keys in clear text without tftp? Here it is!
Till alla er som jobbar med Cisco-brandväggar och som känt frustrationen över att preshared-key inte syns i klartext, och att man fått använda tftp m fl knep för att få ut en psk ur konfigurationen. Till er kommer här en julklapp. God jul och gott nytt år! To all of you working with Cisco Firewalls [...]
CCIE Security – Cisco ASA Modular Policy Framework Example
This is first in a serie of posts in english dealing with technical configurations and solutions. The reason for this is me studying for CCIE Security certification and along the road I will probably find interresting stuff to share with others in the same situation as I am. (I´ve already found that more good configuration [...]
CCIE Security – My home mini-lab
I have built a home mini CCIE-lab out of left-overs. The current hardware is: 3 Cisco 1811 routers (2+8 Ethernet) 2 Cisco 2960 switches (each 24 FastEthernet and 2 GigabitEthernet) 1 ASA 5505. Unfortunately DMZ-restricted. 1 Linksys Accesspoint (SOHO-model 54ABG) My Current Winddows7 PC running VmWare Workstation The Lab is physically connected in the same [...]
CCIE Security – Creating vlans on a router
I just tried to create a third L3-interface in one of my C1811-routers. These are equipped with two FastEthernet router-interfaces and one 8-port FastEthernet-switch. Since the latter are L2-interfaces I need to create a vlan and tie that to one of the switchports rather than configuring IP-addressing directly on the interface like I´ve done on [...]
CCIE Security – filter output of show commands
Did you know that you can use multiple arguments when piping IOS output thru include? Works great on switches: sw1#sh int | incl FastEthernet|input errors 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored FastEthernet0/1 is up, line protocol is up (connected) [...]
ASA built-in help
Did you know that the kind coders at Cisco has put a lot of help for us into the CLI of ASA firewall? Here are two examples: vpnsetup todo-list With the vpnsetup-command you can see a list of configuration tasks needed for setting up different types of VPN: fw2(config)# vpnsetup ? configure mode commands/options: ipsec-remote-access [...]
Cisco ACL logging with cookies
The cookie-feature of logging in router access-lists is new for me and I fell in love with it at first sight! I don´t know how often I debug complexe acls trying to find where specific traffic hits. By adding a “cookie” after the log-statement in an ace you get that cookie tagged to all log-events. [...]
This blog is transforming from a swedish all-purpose blog into a english-speaking tech-blog. The reason for that is my preparations for the CCIE Security certification lab. All old swedish posts are still here, just click on the swedish/English categories-link above to filter.
CBAC – Make the Cisco router stateful
CBAC is a simple way to turn a Cisco-router from being a stupid packet-filter into an stateful firewall with protocol inspection. The following example explains how to configure CBAC to allow return-traffic back when an inside web-client http to an external web-server. Topology: First I have my inside acl specifying what outbound traffic to allow [...]
IOS overlapping NAT
There are not many situations where the ordering of lines in the router configuration really matters (except from inside acl:s or different kind of “maps”). But when dealing with address translations it´s really important because they are processed in the same order as they were added in the running-config. Lets say that I want to [...]
IOS Archive feature
What changes have been done since last “wr mem”? Or more like; what differences are there between running-config and startup-config? Use the archive-feature! r2#sh arch conf diff nvram:startup-config system:running-config Contextual config diffs: line vty 0 4 +transport input all +transport output all line vty 0 4 -transport input telnet -transport output all Wanna make periodic [...]
Read the entire lab first and make a good diagram!
The main challenge and discoveries during the last days of my “labbing” had nothing to do with technologies, TLA:s or ETLA:s. It has all been about finding out how to attack the lab. How to work focused and be well prepared before beginning to configuring boxes. I have read on several different places that everyone [...]
Asymmetric routing in ASA – TCP state bypass
Today I continued my work to fully understand MPF (Modular Policy Framework) and found a new cool feature in ASA 8.2: TCP State Bypass. By bypassing TCP state machine for certain traffic you can get around problems with asymettricrouting. In my home lab I built this scenario: On my inside network I have this client [...]
PAM-table – a sheat-sheet for well known port numbers
The ip port-map router-command gives you an extensive list of protocols and their respective port-numbers. This can become handy at the CCIE lab where you dont have access to google
Cisco IOS Zone Based Policy Firewall
The last days I have been testing Zone Based Policy Firewall in Cisco IOS. It´s a feature much like CBAC. It´s using the same basics of inspection-configuration. The major difference between CBAC and ZBFW is that while the first is built upon inspection at specific interfaces, the latter defines zones of one or many interfaces [...]
MPF Task: prevent surfing to those sites at these times.
For todays lab-session I gave myself a small task: Configure the internet-ASA to prevent myself from surfing to specific time-consuming websites except from 5 minutes every hour. The task sounds easy an as soon as I figured out to do MPF with a time-based acl for specifying inspect-traffic it just took me a few minutes [...]
MPF Task: Solution!
Solution: The solution to this is the fact that this doesn´t work with the regexps: class-map type inspect http match-all class-FIND-BANNED-URLS match request uri regex class class-map-JIMMYS-BANNED-SITES ! uri is the part of the url after the hostname, the directory-path and filename on the web-server. By matching uri you can in the “http://www.facebook.com/jimmy.larsson” match on [...]
Cisco ACS 4.1 eval download
CCIE Security Lab blueprint specifies ACS v4.1 for windows. It seems that Cisco has removed links to the previous Evaluation version download. However, it still exists there. Here is the link: Cisco ACS 4.1 for windows eval. It requires CCO-login.
Cisco ASA “active/active” failover
I often get into discussions with customers about the active/active feature of Cisco firewalls (ASA/FWSM). There seems to be a lot of confusions regarding the possible redundancy scenarios. The short story first: The only scenario when active/active can be done is when you have 2 physical units and at least 2 virtual firewalls (contexts) configured. [...]
Gliffy – an online visio-clone!
Gliffy is a really cool alternative to Visio when it comes to creating network topology diagrams. I guess there are already plenty of reviews of this app, I just want to make sure that everyone knows of Gliffys existance. It’s online, its good and it is (kindof) free! Try it…
Todays question: Whats within the scope of the task?
Todays lab-preparations was dealing with IPS. But it could be OSPF or english grammar or anything. What I am learning nowadays when working with IPExpert Workbooks has not much todo with technology. I pretty much know how to configure stuff. The big challenges for me are to understand the scope of the task and not [...]
Cisco Ipsec VPN-client for 64-bit windows-OS after all?
It seems that Cisco has changed their mind. For long it has been told that one major step for Cisco to promote use of the new SSL Anyconnect VPN-client was to not release a traditional Ipsec VPN-client for 64-bits Windows. Cisco have received lots of critics for this, primary because Anyconnect-usage is a licensed feature [...]
Lab notes – WB1 Lab4 Part 1
Today I started to work with IPExpert CCIE Security workbook 1 Lab 4a – VPN-solutions. During my work I made the following notes which might be interresting to read for other CCIE-candidates. I will also from now on continue to do these notes and post them on this blog. Explaining and writing is simply a [...]
GRE-tunneling between two IOS-routers.
The last days I´ve been playing with GRE-tunnels (just to prepare myself for testing DMVPN). I did a simple GRE-tunnel between two routers (split apart with a firewall simulating internet) and made EIGRP flow thru the the tunnel. It´s really cool and simple. Just create a Tunnel-interface and assign source and destinations: interface Tunnel0 ip [...]
Configuration examples for VPN solutions
IPsec. Gre. Ipsec/Gre. Crypto maps. Isakmp profiles. Ipsec profiles. Dynamic crypto maps. DMVPN Phase 1, phase 2, phase 3. GET VPN. Easy VPN. NHRP. X-auth. PKI. AnyConnect. Portal. RRI. I could continue forever. In my journey of investigating all weird flavours of VPN I´ve decided to try each of them in my home-lab and make [...]
Config example: Vanilla static ipsec vpn with crypto map
(Topology here) This is the far most common implementation of IPSEC Lan2Lan (at least in my world). It uses static crypto-maps applied to outbound interface of each router. A proxy-acl defines interresting traffic, authentication is done with a pre-shared key and it uses isakmp main-mode for setting up the tunnel. Ok. First thing first. Make [...]
Config example: Static to dynamic IPSec
(Topology here) Ok. So we have established a static VPN-tunnel between two routers. But what if r1 has a dynamic or unknown peer ip? Let´s change the previous configuration to reflect this: The config on r1 will be the same. The changes will be done on r3. First, remove what we don´t need anymore: r3(config)#no [...]
Config example: GRE tunnel-interfaces
GRE tunnel-interfaces Tunnel-interfaces are real cool. In later post I will describe how to use them to establish ipsec-tunnel but for now we will just ignore the fact that we doesn´t encrypt the packets. GRE (Generic Routing Encapsulation) is invented by Cisco. It uses IP protocol 47 and encapsultates the entire packet within a new [...]
CCIE Security Lab Exam Preparation Checklist
Cisco recently released a Exam Preparation Checklist which is kinda like a extended blueprint. It´s an extensive and detailed list of topics that you should know before taking the CCIE lab exam. I made a copy of that Checklist and graded my current knowledge of each topic on a scale from 1 to 5 where [...]
Home Lab Terminal Server
Until now I had my Cisco-devices console connected to a windows-pc. It was easy but not as flexible as I wanted since I had to rdp to it when I wasn´t at home and use a putty to serial port inside that rdp-session. So I found an old laptop, installed linux on it (actually Backtrack [...]
Once upon a time I had a Bästis.
Once upon a time I had a Bästis. It´s swedish for “The Best Friend”. We spent day and night together. We shared everything and got to know eachother like noone else. It was 25 years ago, but still it feels like yesterday. Today I don´t think about him very much. In fact I´ve forgotten that [...]
EzVPN Server on IOS in three different flavous
Comparizon between 3 different ways to configure EzVPN on IOS. Example 1: EzVPN-server vanilla-style aaa new-model ! ! aaa authentication login default none aaa authentication login AAA-AUTHEN local aaa authorization network default none aaa authorization network AAA-AUTHOR local ! ! username cisco password 0 cisco ! ! crypto isakmp policy 10 encr aes authentication pre-share [...]
Yusufs Lab 1
Hi I haven´t been very active on my blog lately. Guess why? This Lab preparation is killing me… But today I dived into Yusufs Practice Lab 1 and I did a few notes. Please comment. /Jimmy First of all. If you use proctorlabs gear to do Yusuf Labs you see that the naming of the [...]
Doing some magic translations in Cisco ASA
I recently got a question from a collegue regarding address translations in Cisco ASA. He wrote: Got a question from a customer if you can do the following: 1. NAT the . IP address of a machine located on the DMZ to inside with the same address as the NAT has been: at the outside [...]
I did not pass the test today.
I did not pass the test today. I just left Brussels after my first take on the CCIE Security lab. So, what happened? I Showed up early, 7:40. The test was about to start 8.15 and I waited in the reception with the other candidates untill we were escorted to the lab room. The proctor [...]
What about wiping your firewall for breakfast?
You know how it is? You are typing so fast making changes in you cisco gear you not always pay attention to which mode you are in? Doing config-command in exec-level, exec-commands in config-level and adding “do” in front just to make them pass? Wanna know if that happens to fast and you are in [...]
Doing mean thing on your router?
line con 0 exec-timeout 0 0 autocommand reload /quiet autocommand-options delay 20 !
ASA user authentication with Active Directory
Most often we Cisco-guys uses radius or tacacs when we are about to do authentication of users. But did you know that doing authentication from VPN to a user-database in an Active Directory doesn´t require IAS, ACS or any third party software at all. In fact there are multiple ways in ASA to talk to [...]
Cisco Anyconnect for Iphone!
For those of you that haven´t heard – Cisco Anyconnect VPN client for Iphone is finally released! /Jimmy
Cisco ASA hairpinning
Cisco Pix/ASA hairpinning The term hairpinning comes from the fact that the traffic comes from one source into a router or similar devices, makes a U-turn and goes back the same way it came. Visualize this and you see something that looks like a hairpin. Hairpinning is only relevant when the firewall is in routed [...]
Happy New Year!
My goal for 2010 was to nail that CCIE Security exam. I didn´t. During the first half of 2010 I spent almost all spare time studying and making practice labs. I did an attempt in Brussels in July but didnt make it. The goal then was to continue my studies asap after summer vacation, while [...]
ACS 4.1 -> 5.1 migration tool
A while ago I did a migration of Cisco ACS from v4.x to v5.x. As you probably know there is a migration tool that can be used to migrate some (but not all!) of the configuration-details from 4.x into 5.x. What happened to me was very strange and I would like to share it with [...]
Technically there are only 2 types of WEP-keys: 40-bits and 128 bits. The WEP-standard saids that the keys should be in HEX-format when communicating. This means that they kan be either 10 hex-digits (40 bits divided by 4 bits per hex digit) or 32 hex-digits (128 bits divided by 4). For example BEEFBABE01 or 1234567890ABCDEF1234567890ABCDEF. [...]
Checkpoint redundancy vs Cisco ASA
I am a true Cisco ASA-guy. I eat, live and sh…. ASA:s. I have been working with Cisco gear since forever and the first Cisco Firewall I configured was a Cisco 520 with floppy. Nevertheless, I also know some stuff about other firewalls. I have been working with iptables, Watchguards, Symantec/Raptor/whatever and installed a few [...]
ASA-generated traffic thru Lan2Lan-tunnel?
Recently I got an request from a Cisco ASA customer who wanted to authenticate VPN-users with a remote Radius-server. Using Radius is piece of cake, but those of us that have been working with Cisco Pix/ASA for a while know that traffic to/from the box is no nearly treated the same way as traffic going [...]
ASA-generated traffic – part2
In my previous post I successfully made ASA-generated traffic go into an VPN-tunnel. The catch with that was that the traffic (in my case: radius) was sources from the interface closest to the destination (outside) and I had to add that traffic to my crypto access-list to make it into the tunnel. This case [...]
Missing feature: Cisco ASA dhcp static leases
Cisco ASA has an built-in dhcp-server that can become handy in some situations. Corporate deployments almost certainly contains one or more servers and especially when it comes to Windows networks I wouldn’t recommend anything else than a proper server-based dhcp-server. In smaller implementations however, the youngest sibling in the ASA family, 5505 is often the [...]
Another missing ASA-feature: telnet and ssh client
Every single decent Cisco-device on earth has the ability to make an CLI-user jump to another device with telnet or ssh. Except the ASA. I really wish that this feature could be added. Right now I am troubleshooting a firewall and from where I am right now the only way in is to SSH to [...]
Private ipv4 addresses as a security reason not to convert to ipv6?
I while ago I got into a discussion with one of my customers regarding ipv6. He told me that one reason not to migrate to ipv6 was for security. - I dont want to tell the entire world what IP addresses I have on my servers. And when using ipv4 and NAT my internal ip [...]
Cisco ASA memory Upgrade
Newer versions of Cisco ASA requires more memory. Running anyconnect with multiple platform support requires more flash-memory than built in. There are memory upgrades available for purchase from cisco.com which I highly recommend. However, for lab-purposes any DDR memory and CompactFlash-card will do. Have a look in my lab gear. First, an ASA5505. On [...]
Strange Win7-behavior with AnyConnect and Ipv6
I think Windows 7 behaves strange with AnyConnect and IPv6 I have recently been doing a lot of ipv6-configurations and as part of that I tried out the ipv6-support in the Cisco Anyconnect-client. While doing that I found out a lack of functionality when it comes to ipv6 in combination with Windows 7 and [...]
WLC2100 and ASA 5505 uses same hardware. Can they be converted?
I wonder if one can convert a Cisco Wireless Controller 2106 into an ASA 5505 or vice versa. It seems to be the same hardware. Anyone that knows if there is any burned-in differences, or is it just a matter of replacing the software? I will try to swap the CF-card in an ASA5505 [...]
Stuck with an auth-proxy task
Hello I am currently working on a task (INE CCIE Security WB 1 Task 2.9) where I am supposed to configured an radius-based IOS auth-proxy. The task is this: Configure Authentication PRoxy settings on R3 per the following requirements. US the radius server at 10.0.0.100 with the authentication key CISCO. The authentication proxy should [...]
ISE host name and AD joining
Recently we tried to join an Cisco ISE instance to Active Directory without success. The problem seemed to be because of the length of the ISE host name. Even though the system supports host names up to 19 characters long, we couldn’t add the ISE to AD until we shortened the name to be maximum [...]
RSS-feeds with partial content sucks!
I am fan of RSS readers. I use Google Reader all the time to keep track of interresting blog and news sites. Actually, i rarely visit blog sites direct, just from my RSS reader. And I love it. But there are a few really good blogs that are configured not to post the full [...]
ASA TCP ping
Did you know that the latest code for Cisco ASA firewall (8.4) now supports TCP ping? I have earlier complained about the fact that you cannot telnet out from an ASA cli. You still can´t, but at least you can use the tcp ping feature to see if a specific tcp port is reachable. That´s [...]
Happy new year – Again! :-)
When purging and cleaning ancient posts I found this post where I wished everyone a Happy New 2011. And I felt that it was time for an update. So, what happened during 2011 – did I become a Cisco CCIE Security? The short answer is: No. In february 2011 my written CCIE Security exam [...]
How to play case status table-tennis with Cisco TAC
The problem have you ever had an open TAC case with Cisco, just waiting for them to provide either a solution or some other kind of feedback, and all that happens is that the TAC engineer sends you an email telling you that they “have work in progress” or something else not-making-the-case-evolve? If so, I [...]
Cisco Ironport WSA – what happened?
I have recently implemented a few Cisco Ironport WSA-solutions. When doing a follow-up after the implementation, the customer usually reacts with “Oh… WSA? We forgot about that. It probably works…” But what difference does it make? If the customer forgets about their web proxy, what good does it do? Lets have a look at an [...]
Quick note: Inactive Anyconnect sessions not removed.
I recently had a TAC-case regarding a Cisco ASA 5510-firewall with Anyconnect-clients which had issues with VPN-clients not being able to connect due to “no address available”. It turned out that the “show vpn-sessiondb anyconnect”-command showed 50+ anyconnect-sessions that were over one month old! Like this: sh vpn-sessiondb anyconnect Session Type: AnyConnect Username : [...]
Cisco Live 2012 in London – short resume of my sessions
I just returned home after spending almost a week in London attendingCisco Live. Much can be said about the event and many has already summarized their experience, so the plan for this blog post is to make a short resumé of the sessions I attended to. Many were great, most were good but a few [...]
Cisco ISE Profiler in action
I am a huge fan of Cisco ISE and Trustsec. I have done a few live implementations as well as at home (anyone should run Trustsec at home! ). There will probably be a lot of ISE-related posts here in the near future. Here I just want to reflect on how well the built-in [...]
Cisco ISE Password Recovery
Cisco Identity Services Engine (ISE) has by default one single user for accessing GUI: admin (default password: ‘default’). Many accounts can be created from GUI and different accounts can have different roles/rights. Besides from that, there is an admin-account in CLI as well. It it important to note that this is NOT the same account [...]
Basic ASA Lan2Lan VPN Example
Or – ASA Lan2Lan-VPN for dummies. I often get questions related to Lan2Lan-tunnels in ASA. This post serves as a cheat-sheet for different software versions. Pix v6.x isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 [...]
New product: Cisco ASA CX
Yesterday at the RSA Conference Cisco released a new product named ASA CX. As usual when Cisco releases information about new products you have to dig alot to see thru all marketing material and find technical details. And so is defenately the case here also. There are a few videos recentely uploaded to Youtube [...]
Cisco IPSec VPN-client ports
“I cannot connect with my Cisco IPSec VPN-client when I am behind a firewall” “I can connect my VPN-client but can´t get any traffic thru” “I have changed the settings on the Transport-tab and now I don´t know which settings are correct” Have you heard them all? I have, plenty of times! In fact, [...]
Cisco ASA v9.0 software released!
The long awaited 9.0 software for Cisco ASA firewall is now released and available for download from cisco.com. Here is a short list of the most obvious new features: Scansafe integration From now on there is built-in support for Cisco Cloud Web Security (formerly known as ScanSafe). Up until now the any support in ASA [...]
This is probably the most perverted form of NAT I have ever done. <flamebait> But, it serves as a proof that with proper NAT there is no need for routing </flamebait> Scope: There is a Cisco ASA running code 8.3+ that divides my home network 192.168.1.0/24 from my lab networks. My home devices uses [...]
Cisco ASA 9.1 released
Without any prior notice Cisco released software version 9.1 for the ASA firewall. The only new feature in 9.1 is CX support for other X-models than 5585-X. This probably means that it very soon will be possible to run CX-functionalities in all models from 5512-X up to 5585-X. I say ´soon´because still there doesn´t [...]
Cisco Live – Management of ASA CX firewalls
There is a lot of buzz around Cisco Prime. It’s obvious that Cisco put a lot of effort and money in this product. Primecisc will eventually be a whole suite of management tools under the same umbrella and my gut feeling is that this sooner and later will replace the entire Cisco Works suite. [...]
Cisco CLI access using Radius and ISE
When releasing Cisco ISE as a “new ACS” questions quickly raised regarding the fact that there is no Tacacs+ support in ISE. With v1.0 of ISE Cisco said “Tacacs+ will come in a future version” but we haven´t seen it in v1.1, not in 1.1.1 and not in 1.2 either. Will it be added to [...]
Cisco ASA Anyconnect licensing for dummies
The picture below should be self-explaining. Click it for a larger version. The text below is just for Google indexing purposes, please ignore. Do you need to use the clientless SSLVPN portal? Anyconnect Essentials Licenses will be fine. L-ASA-AC-E-55xx= where xx is the hardware model. Example: L-ASA-AC-E-5510= for an ASA5510. This will give you [...]
ASA Nat behavior with multiple public ip ranges changed after upgrade
I recently upgraded a customer ASA from v8.2 to 9.0 and while doing that I found out that some (yeah!) of the static NAT translations didn´t work after the upgrade. Skilled ASA-upgraders knows that this happens a lot. That´s why we (yes I hereby include myself in the ´skilled´-group) more often than not start our [...]
Cisco Cyber Threat Defense
I am currently attending an introduction class in Cisco Cyber Threat Defense. Since I never heard the phrase before I couldn´t wait showing up. Cisco Cyber Threat Defense is a conceptual thing just like TrustSec. It brings several building blocks together to form an unique functionality. The pieces that CTD is built upon is StealthWatch [...]
Make drawings to understand the topology of firewall implementations
Every time I see a new implementation of a Cisco ASA firewall I need to know how it is connected. Before doing any changes in the configuration and before answering any answers regarding the functionality of the FW i first need to have the full picture of the topology. Often the only source of [...]
New authors will join this site.
There are upcoming changes to this site. So far I (Jimmy) have been the only author here and the focus has primarily been on security-issues I stumble upon. I have invited a few friends of mine to be co-authors on nat0.net. These people have different backgrounds and different skills. The one thing common to all [...]
Allow me to introduce myself…
Hello, world! I’m the first contributor that Jimmy has brought on to help flesh out nat0.net a bit. I’m Henrik, a thirty-something (I’m milking the term now, as my 40th birthday is 29 days from now…) married man in a medium-sized Swedish town. I’ve been working with computer networks full time since 1997, and [...]
Do not force Period Password Changes
Every 90 day my employer forces me to change my password to our systems. And I hate it! But I don´t hate it that much anymore since I found out that they only keep track of my 10 latest passwords. And that the password lenght is just 10 characters. So I have invented a password [...]
Transparent Firewalling using Palo Alto Virtual Wire
We all know the story. You deploy a network to extremely tight specifications, and when you ask – just to make sure you understand the requirements, of course – if it’s absolutely certain that the client IP ranges will never change, that this system will never need to be accessible from the Internet and that there is [...]
IPv6 address assignment will be messy
I am currently working with developing an introductionary workshop for IT consultant with the subject of IPv6. Scope: A client (windows 7) is connected to an internal network. On the same network there is a router facing internet, and a DHCPv6-enabled server. Scenario 1 The DHCPv6-service is disabled. The router has RA (Router advertisements) enabled. [...]
DNS Doctoring in Cisco ASA
Issue: Your internal clients tries to reach an internal server but since they resolves the address of the server from an external DNS-server they will get a public IP. Solution: DNS Doctoring. In the example below your client is on the internal 192.168.1.0/24-network. When looking up the hostname for the webserver www.domain.com it [...]
hash-based password generator
After reading about sqrl, the qr-based login system invented by Steve Gibson, I started to think about hashed password generators as a light-variant to sqrl. What if you could have a password generator that always gives you the same output? Think about it. You use the generator that outputs the password of “1LKk23j!2323^dfD” to be [...]
A new contributor to the blog! – Who am I?
Well, thats a question I ask myself sometimes without getting a really good answer! But as an introduction to this blog and you readers I´ll try to make an effort to explain in some nice words. My name is Ola and am 38 years old, single and I live in a very small town somewhere [...]
Ironport WSA https-certificate import
Memento: When exporting a root certificate (with its private key) from a Microsoft Root CA you get a pkcs#12-file (.pfx). In order to import this cert and key into the Cisco Ironport WSA as a root certificate you need to do this: Move the .pfx-file to a machine with openssl installed Run “openssl pkcs12 [...]
Sha1 is dead! Or at least dying…
As you all hopefully know by now, Microsoft released a security update that disallow the use of RSA keys with a key lenght below 1024 bits. And now there is a new important security advisor from MS with news on certificates in the platform. This time they are issuing a recommendation to discontinue the use [...]