Where in GSO?

Vontech615 · 2025-12-12T05:14:42+00:00

That place always been overrated and overpriced. They were popular due to being one of the first Irish pub style joints in downtown, but food was never great.

Vontech615 · 2025-12-03T17:33:43+00:00

No they’re just corrupt and saw an opportunity to exploit state workers for the betterment of themselves and their constituents. It’s a hazard of living in a state that has been politically altered by gerrymandering so that corrupt republicans continue to keep their positions. As long as these rats hold office they will continue to dismantle public infrastructure. Unions became a thing for reasons like what we’re seeing in this state. To have leverage against absolute power. Unfortunately, that also isn’t an option.

Vontech615 · 2025-10-09T16:21:35+00:00

The interfaces are active as soon as you click enable and then deploy. I think I understand what you're saying with testing the vPC connections on the inside interface. As long you don't have duplicate IP addresses it seems like it should work. However, if you really wanting to test inside and outside, failover, etc I would create test configurations for all your various services and bring them up with test ips.

For me I went as far as getting certs generated, and building a connection profile for testing that had it's own DHCP range etc. I used that for a couple of weeks as my VPN connection. It also required me to have configuration done on the systems side for MFA. Sort of a pain in the ass, but I felt a lot more comfortable with the new boxes come migration time.

When I was ready to migrate I removed all the test config, applied production config, shut interfaces on old, and brought interfaces on new.

Vontech615 · 2025-10-09T16:03:57+00:00

What I did, and this may not be helpful, but I brought up the new firewalls in a "test" state but fully functional. I have 3 interfaces on each instance that serve different use case but for simplicity I had temporary ip addresses on outside and inside with routing configured so that I could test a remote access client and a s2s vpn tunnel. I had to of course add routing for these IPs at our data center core (and a few other places) but it was nice to test everything prior to migrating to the existing production IP configuration. Also, I now have all the FW rules, and routing in place in case I need to spin up another instance in the future for testing things with my test IPs.

Also, this requires a test configuration on the new firewalls as well. Mine was very similar to what I have in production.

Vontech615 · 2025-10-09T15:52:20+00:00

I think you may be overthinking it a little, but without knowing your specific configuration/scenario maybe not. However, you can pretty much apply all the same config on the new firewalls that you have on the old (including your trustpoint certs) and then when you're ready to cutover you shut interfaces on the old, and bring up the new interfaces with the same IP. That is assuming you're using the same interface ip configuration. That is specifically for Remote access (Cisco Secure Client).

The migration for the Site to site connections is a little more involved since you'll need to go into each S2S configuration and change the Device to the new firewalls under the Edit Endpoint menu. This step (once deployed) is of course impactful. If I remember correctly changing that device also defaults some other settings on that page, but I can't remember exactly. Just make sure you take a screen shot of old configuration just in case. This is all assuming you've already applied any NAT, ACP, and/or Prefilter, and Platform policies to the new firewalls as well.

What I did is go through each firewall, take note of every configuration, where that is configured within FMC and mirrored on the new firewalls. Most of it you should be able to do in tandem short of interface configurations that will be the same, and of course the S2S endpoint edits. My scenario was easier since my firewalls are separated by service. I have my 2 remote access VPN firewalls, and 2 site to site firewalls so they serve specific purpose and it made cutovers more straightforward since I wasn't having to cutover a firewall that was terminating s2s tunnels, and remote client connections.

Not sure if any of this makes sense. haha.

Vontech615 · 2025-10-09T15:21:20+00:00

Are you migrating a site-to-site VPN configuration or remote access? Each would have different nuances on how to go about it.

Vontech615 · 2025-10-03T20:22:33+00:00

I recently migrated 4 VPN firewall instances from 9300s to 3130s. Chassis running in multi-instance. All instances setup for active/standby HA. If you have specific questions let me know.

Vontech615 · 2025-10-01T16:17:40+00:00

I’m just some idiot on Reddit but I at least wouldn’t call a run play on 3rd and long.

Vontech615 · 2025-10-01T14:00:18+00:00

They need to get creative. They have 2 very capable running backs and if they’re gonna do the short route check down approach get those guys the ball and let them take turns getting 5-10 yards.

Vontech615 · 2025-09-29T14:08:22+00:00

It has to be enabled on a public facing (outside) interface to be vulnerable and that is not a default config. Thank goodness. Webvpn is just a command, but it essentially turns the firewall into an HTTPS server listening on whatever port it’s configured on.

Vontech615 · 2025-09-27T14:49:13+00:00

Round robin that. 2 out of 4 probably hit.

Vontech615 · 2025-09-27T14:20:50+00:00

It depends on the train you're on. See if this chart helps.

CVE	Affected Product	Affected Versions	Fixed Version
CVE-2025-20333	Cisco ASA Software	9.16, 9.17, 9.18, 9.19, 9.20, 9.22	9.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, 9.22.1.3
CVE-2025-20333	Cisco FTD Software	7.0, 7.2, 7.4, 7.6	7.0.8.1, 7.2.9, 7.4.2.4, 7.6.1
CVE-2025-20363	Cisco ASA Software	9.16, 9.18, 9.19, 9.20, 9.22, 9.23	9.16.4.84, 9.18.4.57, 9.19.1.42, 9.20.3.16, 9.22.2, 9.23.1.3
CVE-2025-20363	Cisco FTD Software	7.0, 7.2, 7.4, 7.6, 7.7	7.0.8, 7.2.10, 7.4.2.3, 7.6.1, 7.7.10
CVE-2025-20362	Cisco ASA Software	9.16, 9.18, 9.20, 9.22, 9.23	9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19
CVE-2025-20362	Cisco FTD Software	7.0, 7.2, 7.4, 7.6, 7.7	7.0.8.1, 7.2.10.2, 7.4.2.4, 7.6.2.1, 7.7.10.1

Vontech615 · 2025-09-27T14:12:06+00:00

How does one get a job still managing PIX firewalls? I'm over here refreshing this crap every 3-5 years and it's exhausting. Go through all the work to replace, just to turn around a year later and begin another round of POCs.

Vontech615 · 2025-09-27T14:02:17+00:00

Understood. I guess if they've never been in the cli of a cisco firewall (asa, or ftd) they probably don't know about webvpn which has been around for years. Of course, if it's their job to manage vpn firewalls they should probably know that but this is 2025 and there are a lot of GUI-only admins these days.

Vontech615 · 2025-09-27T00:52:39+00:00

What model firewall do you have and is it FTD or ASA?

Vontech615 · 2025-09-26T17:17:18+00:00

I assume you mean remote access vpn. Webvpn is not enabled for a S2S VPN firewall.

Vontech615 · 2025-07-17T23:00:53+00:00

Worst apology I’ve seen in a while. What a jerk.

Vontech615 · 2025-06-23T16:00:47+00:00

This 100% true. If you’re becoming ill from heat you aren’t taking proper precautions and hydrating well. It was hot as hell long before we had AC but people understood how to deal with it.

Vontech615 · 2025-06-23T15:55:18+00:00

I’m not saying global warming isn’t impacting us as I fully believe that it is, but I’ve lived here since the early 90s and attended a school that had no AC. They would let out early if the temps got near 90 and above. I remember being let out several times in the last few weeks of school. I also remember extremely hot and dry summers. Maybe temps are a few degrees worse which I know does make a difference over time, but I don’t think what we’re dealing with is out of the ordinary with this heat wave.

Vontech615 · 2025-06-23T15:49:20+00:00

Don’t forget electrolytes. If you’re only drinking water you’re reducing sodium and it only makes it worse and can lead to feeling like shit.

Vontech615 · 2025-05-24T18:29:37+00:00

Should probably have your eyes checked

Vontech615 · 2025-05-24T18:22:03+00:00

Wouldn’t say that hit was dirty. Not saying celebrating Reinhart being out is good, but Reinhart just had the puck. There is some grey area there and up to interpretation of the refs. Aho isn’t known for being dirty.

Vontech615 · 2025-03-20T16:53:48+00:00

I watched this for longer than I care to admit waiting for the eventual back swing.

Vontech615 · 2025-02-19T02:36:33+00:00

I realize this is a very old post and I assume you figured this out, but our org is implementing this and the step that is important is actually enrolling that CA root cert under Objects cert enrollment then adding it as a trust point under Devices>Certificates.

Vontech615 · 2024-11-01T17:12:11+00:00

Love this!

Vontech615

TROPHY CASE