About ericgearhart

Just for kicks I compiled a local copy of OpenSSH 5.5 with the jpake source (from https://github.com/seb-m/jpake/tree/master/openssh-jpake ) and it doesn't appear to work: eric@laptop:~/jpake/openssh-5.5p1> ./ssh -o "ZeroKnowledgePasswordAuthentication yes" user@my-PA-firewall command-line line 0: Unsupported option "ZeroKnowledgePasswordAuthentication" Password: ... View more

That does look correct to me... the logical flow of the ACL looks like it would do what you want. It looks like this is what you're trying to achieve: nonat traffic from your specific server to your two remote sites don't nonat anything else from that specific server on the 192.168.1 subnet nonat all traffic from 192.168.1.0/24 to anwhere Looks good to me! ... View more

So if an answer's incorrect but is marked answered, what's the procedure? ... View more

Nice! I did not know that! I never thought I'd see them open up EIGRP ... View more

Hey if what you have configured is working then that's all good... it's hard to "eyeball" a config and point things out without having an ASA around. Glad I could help! ... View more

In that example you've got I think in your two ACLs you've got the directions backward. In the ACLs you're basically pointing out what traffic will flow over the IPsec tunnel. If for example your headquarters subnet is 192.168.0.0/24 (your remote site is 192.168.1.0/24 in your example above), you want to say "everything flowing from 192.168.0.0/24 to anywhere will flow over the IPsec tunnel" So you'd need this, in your example from above: object-group network HQ-Encrypt     network-object 192.168.0.0 255.255.255.0 object-group network RemoteSite-Encrypt     network-object 0.0.0.0 0.0.0.0 And your ACLs would look like this: access-list nonat extended permit ip object-group HQ-Encrypt object-group RemoteSite-Encrypt access-list remote_vpn extended permit ip object-group HQ-Encrypt object-group RemoteSite-Encrypt ... View more

That 'nat (inside) 0 access-list nonat' is the NoNAT I was thinking of... basically your internal LAN source won't be NAT'd at all. This part of your config: nat (inside) 0 access-list nonat nat (inside) 1 192.168.1.0 255.255.255.0 ...basically says "don't NAT traffic if it matches this specific access list (named nonat in your example). NAT everything from 192.168.1.0/24, and use the interface named 'outisde'  to NAT behind." The "nat (inside) 0" line is a special config line - "nat 0" statements are really what you DON'T want to NAT (hence the access list name, nonat) You could just flat out turn off NAT on the ASA honestly... you could "no out" your global NAT and your "nat (inside)" statements instead of trying to NoNAT everything ... View more

I meant build the ACL on the switches themselves But yes, I see what you mean... looking at Cisco's docs, DHCP snooping would be the "cleanest" way to solve the problem, if your switches support it http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html ... View more

I wonder if building an ACL to block UDP port 67/68 traffic could help with this problem too ... View more

Fixed in 4.1.12 as well as far as I'm aware for those still on that code base... still waiting on its release though. ... View more

I have Zabbix watching several pairs of PA firewalls as well, and graph trending on interfaces, CPU, memory, firewall sessions, etc all work. Also alerting on specific events works too (for example: "if the session table goes over 80% utilization send an alert") ... View more

If the Palo Alto only saw the request from the DNS server out to the Internet and alerts on that traffic, wouldn't that still not provide enough info to track down the original client? If you added a mirrored switch port of your LAN side network trwffic to a tap port on the PA, then the original client could be seen. Also if you segregated your DNS server from your clients into two separate VLANs and used the PA to route between them, you'd see the original traffic that way too. Full packet capture / centralized logging is still the overall 'best practice' in my humble opinion ... View more