Cisco AAA/Identity/Nac :: 1521 ISE 1.1.1 Firewall Rules Distributed Deployment
Dec 1, 2012
I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
We had Oracle DB servers connected to ip core network clearly, but now we have connected them through ASA (8.4). From that time all users complains about frequent TCP (oracle tcp port 1521) connections drops: they connect to DB, had some time to work and after that expered sessions are stucked. Issue is solved by reconnection, but for some time. I know that the problem is around TCP connection timeouts/ dead connection detection or kind of this. We dan't have MARS system to troubleshoot it by logs. Also, the only inspection policy is applied is default:
I have a question about my ACS redundancy deployment. I bought three ACS all of them came with base license. but i bought large deployment license my question is necesary to buy the large deployment license to add two seconday ACS to my Primary ACS ? now if I install the large deployment in my primary ACS it replique to other ACS or I have to install first the large deployment one by one (secondary ACS) before to join to the Primary ACS.
I am having access point 1240AG and planning to deploy ISE as a exteral radius server. I would like to know how different authorization policy need to configure in AP/ISE. Whether I can use named ACL or VLANs (CoA) as a enforcement types without use of WLC. If yes then how?
i have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I want to add a license in order for the ACS to support more than 500 networks which includes in the base license.As I understand this is the license required : L-CSACS-5-LRG-LIC= · Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is. for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC= (one for each environment, one license will serve 2 X ACS in Primary and Backup) or I need to purchase 4 licenses each for each ACS ? – I understand that one license will serve deployment of two ACS in primary and active scenario.
I already have large deployment add-on license. I also have 3 ACS Servers. Now, my primary ACS server is now up and my two secondary ACS server will be put up soon.
Just want to ask, when should be the large deployment add-on license be loaded? Can I load it to my primary ACS server eventhough my secondary servers are still not up? Or should I load it to my primary ACS server when my two secondary servers are already up?
I am going to deploy Cisco ISE with WLC 5500. I have two kinds of users one for which I want to deploy just open access Wi-Fi network, without working with Cisco ISE and Second group of Users for which I want to deploy Cisco ISE services like advanced authentication, posture and profiling. For both users I have just one WLC. Is there any problem to just deploy two SSID one for open access (without Cisco ISE) and second Secure with Cisco ISE ?
I am wondering if having a Nexus 7K is mandatory to implement SGACLs within a TrustSec Infrastructure deployment or having a Nexus 5500 could be enough?
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
I am new to ACS 5.1.I need to configure the ACS to act as the 802.1x authentication Server, as well as, act as the Radius Server for the authentication and authorization process when I access the switch.
I had created Two rules (under the Access policy) to cater for the two scenario, it will always "stuck" at the 1st rule. For e.g. Rule-1 is meant for the 802.1x, Rule 2 is meant for the AAA process. When I tested with 802.1x, it worked perfectly. But when I tested to login to the switch, it always failed. Based on the log, Rule1 is not able to fulfill my requirement (of course it can't). I thought the rules check process will proceed with Rule-2, but apparently it did not.
I have a fresh install of an ACS 5.4 virtual appliance. This ACS instance will only be used for TACACS+ AAA for network device administration. It is up and running on the network. I have time, timezone, NTP and DNS configured. ACS admin accounts and logging are configured. I created an internal user, a network device, a network device group, an internal identity group, a shell profile, and command set. It is joined to the Enterprise Active directory domain, and a couple of AD groups have been selected for use in policies.The default network device is enabled and configured with a TACACS secret. I have a lab router configured and pointed at ACS and I can SSH to it with the ACS internal user.The problem is: I can’t create any rules for any policies. If I try to add a rule (or edit a default rule) to the “Service Selection Rules” or “Default Device Admin” or Identity, group mapping or authorization, all I get is a popup with the message “Resource not found or Internal Server error”. If I click “customize” anywhere I just get empty selection/transfer boxes. If I try to change to a single result policy from compound rules I get a “System failure – your changes were not saved” message. I have installed this twice now with the same results.This is my first experience with ACS. I’ve gotten through most of the configuration guide but I don’t know ACS well enough to know if I’m missing something incredibly obvious, or whether it’s just broken.
I am looking for a way how to set the password-rules for individually for for some users or identity-groups.I just can find the global settings,Background of the requirement: We want to use password-aging for most admin-users, for some we dont want that pw expires.
I'm working with an ACS 5.3 and ASA 8.2.5 and i've configured several access services for webvpn and ipsec remote access profiles but i haven't found which radius attribute can differentiate among them in the service selection rules.
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0 (where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
I've cloned the configuration off one of my ASA5510's to another 5510 to use as a template for a new data center deploy. I have configured the new firewalls networks and rules, and of course changed the WAN IP config to its new setting.
I want to test the firewall in y office before I deploy it. How should I configure my Macbooks ethernet configuraiton to test the firewall?, as I have tried without success to connect to it.
Let's say that my WAN configuration is 134.5.169.98/255.255.255.224 with a static route of IP address 0.0.0.0, Netmask 0.0.0.0 and a gateway IP of 134.5.169.97.
I've tried setting the route to force all traffic through the interface (sudo route add 0.0.0.0/1 134.5.169.98), but that did not work either. A trace route to the external interface IP of the firewall (or the external IP of an expose server) get's a "no route to host" error.
I've tried many configurations and have not been able to access the internal servers/services/VPN at all.I've also tried with a cross over, and straight through cables.
What should I configure my macbooks network configuration as so I can connect directly to the WAN port to test external access to the internal servers/services and test the VPN client?
I've been asked to deploy an ASA in Transparent Mode because of concerns of putting another layer 3 hop between PE and CE routers running BGP.
Is there some problem with allowing BGP to flow freely through an ASA the is also terminating site to site and remote access vpn tunnels?
I just don't see the need for Transparent Mode here and you cannot have a standard DMZ setup with Transparent Mode: you have to use bridge groups to provide for multiple interfaces on the ASA and then have an external router route between those bridge groups.
what I'm missing here as to why Transparent Mode is needed (not needed)
I have a Pix 515, and a question about firewall rules/access lists.I have recently created a new VPN group, and IP Pool.I created a firewall rule that grants access via TCP to a specific IP address from this firewall. However, when I test the VPN from outside the company, I find I can get to whatever server I want to. There is no allow any/any. I do not think there is any other rule before it or after it that would give that kind of access as most of our rules are for specific IP's and protocols.
The only thing I could think of is that we are using the account management in the firewall to authenticate the users. I am giving the VPN users level 3 access.I will probably not post my config as it is my firewall config, and it would be against company policy.
Is it possible to provision 3 different public IP addresses to the same DMZ IP (Web server) on an ASA running ver 8.2(4)? Unfortunately, the way the server was provisioned Static or Dynamic PAT will not work. I have read that ver 8.3 and up supports natively one-to-many NAT translations, but at this point the client is not ready for an upgrade. Is there anything else I could do to overcome this challenge?
I'm having some troubles with NAT, packets does not match nat rule (that i think it should) and is not choosing the right egress interface. So crypto map never starts
this is the relevant config:
interface Port-channel2.4 description Public TESA ADSL internet connection vlan 7
Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.
Ive migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.
in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.
what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.
My ACL and nat rule is below. I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service.
I have several working VPNs between ASAs 8.4 and 8.3The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?
Then only allow certain ip's access to the entire internet like this...
Internet_User_Group
It would be nice to possibly be able to add the rules to users in my domain, then associate the domain account with an IP OR have them login to view webpages.
I have PIX 535 and using ACLs for allowing traffic. I need to clean up the rule base. I would like to know how to fetch a report of Unused rules for long time?Also when a traffic is being allowed, I want to know through which rule number its being allowed?
Note If you configure VPN, the client dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.
