Cisco AAA/Identity/Nac :: 5505 - ACS 5.2 With ASA Firewalls
Dec 16, 2010
I am trying to setup a Cisco ACS 5.2 for both login and enable authentication to asa 5505s, 5510s, and catalyst switches. I am testing with an ASA 5505. The initial authentication to the firewall works, but when I try to enter privileged exec mode using the enable command, it doesn't work. I have the user setup on the ACS with a password and an enable password and privilege level 15, I have the device setup on the ACS, I have the tacacs+ server setup on the firewall and pointed to the correct server address, and the AAA commands for telnet, ssh, and enable.
I am currently working on our Cisco voice platform at work.
Our Cisco firewall engineer has left and I have been given the task of looking after the firewalls as our Chief Exec seems to think that Cisco Voice is similar to Cisco ASA firewalls,
Are there any books/videos out that you can recommend to learn the about firewalls quickly.
I have a customer with active/standby on a pair of 5510's with the CSC modules. They were inquiring about the AIP/ASA, and since this would NOT work in their current setup, would getting a pair of 5510/AIP configured for transparent failover work placed in front fo the existing units? Would I need to have a switch placed between the AIP and CSC ASA's? Or would I setup the ASA's for context based Active/Active failover to interconnect the ASA's to the existing units, but I still see a need for a switch.
I have a scenario whereby I need to add a second VPN tunnel to a Cisco ASA, however its peer address will be on the outside2 interface on the remote firewall.
There is currently a VPN tunnel between 1.1.1.1 and 3.3.3.1. I need to add a 2nd VPN tunnel utilising outside2 addresses 2.2.2.1 & 4.4.4.1 respectively.
I have labbed this out, however i cannot get traffic going down to the 2nd VPN tunnel. I have created the following routes on each firewall
ASA1-HQ
Outside1 0.0.0.0 0.0.0.0 1.1.1.2 (metric 1) (Next hop for outside1 interface)
I have tried adjusting the Crypto map Priority values however this has made no difference. One theory I have is the local addresses potentially would need to be on a separate network in order for traffic to traverse the 2nd VPN tunnel.
the crypto maps i have created are:
ASA1-HQ
Outside1 (Priority10) S 172.16.20.0 /24 D 172.16.30.0/24 Protect ESP-3DES-SHA Peer 3.3.3.1 (Nat T Enabled) Outside2 (Priority 1) S 172.16.20.50 /32 D 172.16.30.50/32 Protect ESP-3DES-SHA Peer 4.4.4.1 (Nat T Enabled)
ASA2-DC
Outside1 (Priority10) S 172.16.30.0 /24 D 172.16.20.0/24 Protect ESP-3DES-SHA Peer 1.1.1.1 (Nat T Enabled) Outside2 (Priority1) S 172.16.30.50 /32 D 172.16.20.50/32 Protect ESP-3DES-SHA Peer 2.2.2.1 (Nat T Enabled)
i have create a one profile on PIX/ASA Command Authorization Sets & MAP with Group & Ldap with My AD. but authentication is not done as per the set parameter on command authorization in ACS.i am using Cisco ASA 5505 & ACS 4.2.
I have successfully set up a 5505 as a cut-through proxy so that wireless users are required to log in when they open a browser to access the Internet. Is there a way to take them to the original page they requested after the login is complete, rather than having it sit at the screen where it is says they are logged in?
Wondering if it's possible to send a VSA from my radius server to my ASA-5505 that will instruct the ASA to use one of several split tunnel lists I have created, based on the user name supplied in the Radius request.For example, I can send a VSA of "ip:inacl#1=permit ..." and the ASA will dynamically create an access-list for that user.Is there a similar VSA for split tunnel?
I am trying to configure an ASA 5505 running 8.3 to allow a priv 15 local user to be able to ssh into the device and be placed into priv 15 mode without having to execute the enable command and type the enable password.Right now when you log in as a priv 15 user you still have to execute the enable command and type the enable password to get to priv 15.
I have a working ASA 5505 that is used for remote access. It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP. This is all working fine however recently I enabled IPv6 to do some testing. I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks. DNS client is enabled in the ASA and all the authentication servers are entered as hostnames. The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records. My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).
When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working. I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers. From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses. When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly. I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6. Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this. I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6? Just guessing at the moment as I haven't managed to get a LAN capture. [code]
I have a problem discovering some ASA firewalls on a network. I have several ASA firewalls on this /24 network, but some of them I can't discover e.g 149.x.x.107 is discovered ok, but 149.x.x.20 I can't discover. It seems that it's not even trying to discover the devices I have problems with. Nothing is shown in the discovery log.
For protection of any network architecture,use of firewalls (either hardware or software) only at Network ,Transport and Application Layers of TCP/IP stack. Why not at remaining layers?
Am I able to legally download and upgrade software versions still on ASA firewalls?I have not had an issue in the past as this has not effected the license.I cant find anything online saying that you cant due to Cisco's new Software license policy changes.
I opened my iTunes program today and noticed a roommate's MP3 files were picked up on my network. I think the name of the program is Rocket Tube MP3. Anyway, I came on here because our computers use a Wi-Fi internet connection and I was wondering how much of my web activity (history, cookies, temporary files, etc) he could see from my laptop if his computer was a desktop downstairs. He's very tech-savvy (a former IT guy) and I don't want him snooping through my personal records.
I was under the impression that those global addresses that we used with NAT were from the outside IP addresses range?Lets say my outside IP address is idk 192.112.40.11 /30 and I only had two usable IPs (since you can't use network and broadcast IPs) so how would I set up NAT for a couple of Inside addresses with a shorting of addresses like this? Idk if that makes sense what I'm trying to say
I have a question about 2504 deployment.Two WLC's , one will be acting as primary controller, second as secondary controller.
There will be two firewalls with High Availability between them. Ok, if primary controller will go down, we would need to wait about 2minutes, and AP's would join secondary controller.
But if there is a problem with firewall? Etc. FW 1 goes down. Is it possible with WLC 2504 to use it's second port as backup port ? And use the same IP address between them?
Because if we configure the second port with different IP address, we would need to wait about 2minutes, because AP's is in "rejoining" mode )(To use second port as backup, but have the same IP address on it ( like put these two interfaces into the same "vlan") , because this would be really great, if one Firewall goes down, we would still will be using the same wireless controller.)
I am trying to upgrade all my firewalls to Security Plus but I am not sure what firewalls are needing the upgrade. Is there a SNMP pull I can do to see what license is on my firewall? example: "This platform has an ASA 5510 Security Plus license." via SNMP
We have a configuration where we go through a firewall (ASA 5510) to a router, which decides if it is internet traffic or another network used for colleges etc in Canada called SR Net. If it is internet traffic it then goes through another ASA 5510 to the internet.
When we tested we were not seeing the speed of our internet (about 1/10th). We tested by putting the laptop before the internet firewall and we get the throughput. We also threw the test laptop before the router and we got the throughput expected. But when the test laptop is before the internal (first) firewall we get about 1/10th the speed. We are Nating on both firewalls, so from the inside we are going from a private IP to a Public IP (so it can go to SR Net is need be), then Nating again to the internet IP on the second firewall.
We are a non-profit organization that is heavily reliant on interns that use their own laptops a lot here. My concern is they come in and connect to our wireless network with no supervision or anything else. I am worried they will introduce a virus, trojan, or something to our network. What the best way to keep them from introducing unwanted malware from a thumb drive, virus in email, or something to that effect shy of standing over them while they install and run an antivirus software?
I have problem with the Lan-to-Lan VPN tunnel.the VPN working fines since 9 months ago without any problems.Suddenly got the problem!,In last two days we faced problem the VPN down.in first time the problem in phase-2.. but after that in phase-1... in latest no data packet received to their side.
I am looking for some resources on what steps would be involved in configuring a Cisco ASA 5500 when obtaining a new ISP. Since our static IP will be changing with the new ISP, just need to know what configurations changes will need to take place. We currently have a working config with DSL, but are switching to cable. We are using a DMZ configuration, and are going to try using ASDM first since that should be easier
There are three Win 7 laptops on the LAN trying to connect to the ASA5500 Firewall. They generate a Severity Level 3 alert and try the same port three times then move to the next numerical port and try that three times. Is this a malicious Hack.
I have been trying to get into one website (url)The world's best online marketplace, List free Classifieds,buy and sell - auction,post a job and get hire from over 1 million top professionals. | Wanaifieds.com and I can't get into the site from my home I can get into the site everywhere else but here I called the service provider and their telling me it's not them they don't block website and the IP is not stationary so their nothing wrong with their end I called the hosting company of the website and they told me they don't block any IP's I don't know what to do I do remember when it was working about 4 days ago I tried something o the site and I messed up and I clicked back instead of putting my password a little box poped up and said something about a certificate or something but I just clicked off and when I tried to get back on the site.
I'm working with Cisco ASDM 6.1 for pix. I want some of ip addresses are not shunned thus provide a list of addresses which should not be shunned in threat detection, but some of ip addresses are shunned yet.
I want to block 10.0.0.1 and 192.168.1.1 but my router says invalid domain so if will the guess network be able to go to page 10.0.0.1 and 192.168.1.1 even though I don't block it? I have a bypass account but don't want anyone else to access 10.0.0.1 and 192.168.1.1. Also can you tell me some proxy sites I can block?
when I run nestat -b command. I always see a lan ip sending TCP traffic to my computer with state syn_receivedProto >> Lan Address >> Foreign Address >> state >> Process idTCP >> (my ip) >> 192.168.2.222(lan ip) >> syn_received >> 4
How many of you use GNS3 for ASA 5500 Firewalls along with ASDM? While I am on the subject of GNS3 I had a questions about the new version and the capture feature. I installed the latest version last night with the new live capture features but it seems to be only one way capture. T Is there a way to fix this?
