Cisco AAA/Identity/Nac :: Configure ACS 5.2 And Checkpoint For Firewall Admin
Aug 5, 2012how to configure ACS 5.2 for device administration of Checkpoint firewalls and security management servers?
View 4 Replies
ADVERTISEMENT
Cisco Firewall :: Have Checkpoint But Want To Add ASA 5505 SSL VPN?
Dec 10, 2011I have 5 static public IP addresses at my disposal. A checkpoint firewall with VPN access provides remote access for mobile users. How would I go about integrating the ASA 5505 SSL VPN into this network so some mobile users could continue using the checkpoint VPN client while others could have SSL VPN remote access? Attached is a graphic of the network.
View 2 Replies View RelatedCisco Firewall :: R75-20 / Migrate From Checkpoint To ASA?
Sep 11, 2012what's required for the migration from Checkpoint R75-20 Splat install to the Cisco ASA firewall, links to documentation - step-by-step.
View 3 Replies View RelatedCisco Firewall :: ASA 5510 To Migrate Single Checkpoint
Dec 18, 2012I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
Routers / Switches :: Cannot Switch Behind Checkpoint Firewall
Mar 14, 2011Running EIGRP on network. Hub router connects to remote router via EIGRP and then I have 2 static routes getting traffic to the switch behind the checkpoint firewall(Edge-1 UTM). Some switches I can access while others I cannot.
View 1 Replies View RelatedCisco Firewall :: Migrate Checkpoint Configurations To ASA 5585 Using SCT Tool
Oct 28, 2011I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it
View 14 Replies View RelatedCisco Firewall :: How To Configure Identity In ASA 5520
Nov 4, 2011i have an ASA 5520 with ios 8.4 and asdm 6.4.
my configureation is below
my asa interfaces
inside ip
172.16.0.0/22
[Code].....
so now i want to configure my asa to give access to user based. what configurations should i use to do so.
i have attached the Edit Active Directory Server dialuge box so what should i put there in the box's
Cisco AAA/Identity/Nac :: ACS 5.1 - Screenshot Of All Users That Have Access To Configure Firewall
Jul 26, 2012I have an auditor wanting a screenshot of all users that have acces to configure our firewall, I am unfamiliar with 5.1. Is there a way of running such a report on a paticular device?
View 1 Replies View RelatedCisco :: WLC 7.0 - Configure Lobby Admin With ACS 5.1
Jan 23, 2012How to configure a LobbyAdmin account for WLC 7.0 on a 5.1 ACS? I'm very new to ACS 5. How to configure it.
I've got the ACS policy working that allows me to login to the WLC using a user account with full rights but the Lobby admin account can login with full rights as well. I've tried setting the custome attributes in the shell profiles with role0-mandatory-LobbyAmbassador, task0-Mandatory-Configure Guest User and task1-Mandatory-Lobby Ambassador User Preferences but it still doesn't work.
Cisco AAA/Identity/Nac :: Can't Ssh Into ACS 5.2 By Using The Admin Account
Jun 5, 2011We created the admin account during the setup and were able to log into the Web GUI, but we can't use this admin to access the CLI by using ssh, always said permission denied.
View 3 Replies View RelatedCan't Get To Admin Screen To Configure New Router
Nov 3, 2012Here is my Desktop Specs:
Windows XP Svc Pack 3
Mainboard :Asus P5KPL-CM
Network Card :Atheros AR8121/AR8113 PCI-E Ethernet Controller
Current Router - LinkSys BEFSR41 (Hardwired, CATV cable)
Static IP - 192.168.1.100, 255.255.255.0, Gateway 192.168.1.1
Problem: I purchased a new GB router, Dlink DIR825, wireless and 4 ports, and cannot connect to it to set it up. I need to get into it to change its IP address from 192.168.0.1 to 192.168.1.1 and to make a few other changes. I have 6 different ethernet cables, all of which work with my desktop as well as my laptop. I can get into the new Dlink router just fine with my laptop so it is not a bad port on the new Dlink. The cables work with my existing router and my new router using my laptop so it isn't a cable problem.My internet connection is Hughesnet (DISH) which uses the 192.168.0.1 address, the same as the new router. So here is what I have tried:
1. Powered down Hughes router, new router, and old router.
2. Removed cable from Hughes router to old Linksys.
3. Changed static IP on desktop from 192.168.1.100 to 192.168.0.50 and Gateway to 192.168.0.1.
4. Rebooted
5. Connected ethernet cable from desktop to Port 1 on new router.
6. Powered up new router.
7. Brought up Browser and entered the 192.168.0.1. Nothing happens. The Port light on the new switch shows the connection properly and the other lights are on properly, except for the Internet light which I haven't hooked up yet.
The above does not work so I powered down everything and then:
1. Connected the cable from the Hughes internet modem to the Internet port on the new modem.
2. Powered up Hughes modem and waited for all lights to come on.
3. Then powered up new router and waited for all lights to come on. This time the Internet light came on like it should.
4. Powered up my desktop.
5. Brought up Browser and entered the 192.168.0.1. Nothing happens. I expected this since there would be a conflict with the 2 modems having same IP.
Next I tried to basically set my desktop to use DHCP and removed the cable from the Hughes modem to the new router. Powered down everything then brought them up one at a time, Hughes modem, router, and PC. Still not able to connect to the new router.I also used my laptop to set the new router to 192.168.1.1 and reset my static IP to the original 192.168.1.100, 255.255.255.0, Gateway 192.168.1.1. Still nothing and I couldn't even ping the router.
Cisco AAA/Identity/Nac :: Use AD Authentication For ACS 5.2 Admin Accounts?
Jul 7, 2011I want to set it up so that when you log into any of the ACS 5.2 servers you have to use your AD credentials to log in and define what access you have. Is this possible? If so, how can this be set up?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ASA5500 / ACS 5.1 Radius For VPN And Admin?
Feb 27, 2011I am trying to configure ACS 5.1 to authenticate SSL VPNs on an ASA5500 and aslo to provide admin access to the ASA5500 both via radius.I want to authenticate the VPN against a SeureID appliance and the admin login against a different database (using internal for testing but will use LDAP in the end).I cant seem to get the ACS to distinguish between the two authentication types. If I create a rule that says match protocol radius I can point that at either database but if I try saying match radius and service type 5 it doesnt match the VPN and falls through to the default authentication service. I have also tried matching service type 6 for admin and that doesnt seem to work either.In the end what I want to acheive is to authenticate teh ASA5500 VPN against the SecureID appliance and then admin access to all devices on teh newtork (a mixture of Cisco, F5 and Juniper) to active directory via LDAP where if the user is a member of the "admin" group they get access.I was intending to use specific devices for the ASA5500s (there aretwo) and then creat a device group based on IP address range for everything else.
View 4 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.x Admin Users Authentication Against AD
Apr 23, 2012Do you know if it's possible to use ACS 5.x in such manner that the admin users (so not the end users, but the administrator users of ACS) are authenticated against and external database, like Active Directory?
View 2 Replies View RelatedAAA/Identity/Nac :: ACS 5.4 And User Admin Roles
May 8, 2012we have created some administration accounts which should only have the possibility to work on the user database. the useradmin role is to limited to create a user and set a fixed password only, but not able to enable the users authentication against a predefined external identity store. Other roles which makes this possible are far to powerful for a second level adminstrator.The adminstrator should have the possibility the create an user and set the password check against an external database. This is not possible with the predefine role "UserAdmin". Other roles do have to many rights for these users.
View 4 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 Device Admin Privilege Assignment?
Dec 1, 2011my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Configuring ACS 5.x For Restricted Dev Admin Command Set?
Apr 25, 2013this is the first time I am about to configure ACS 5.3 to authorize user group from doing some commands in the "configure mode" while permitting them some other commands. As example, I want to deny them from doing "reload" but give them access to configure "time-range", what happen is, they are denied access to "reload" on the exec mode, but once they went into "configure" mode, they would be able to "do reload"I mean to say, is it possible to manage the subsequent commands to "configure terminal" ?
View 4 Replies View RelatedCisco AAA/Identity/Nac :: Banner For ACS 5.3 Admin Login Page
Feb 20, 2012Is there a way to put a login banner on the ACS admin web page? Either display it directly on the web page or do a redirect to a banner page? Can I edit the admin pages directly or does ACS provide a mechanism to add this type of feature?
We are using ACS 5.3 running on VMWare.
Cisco AAA/Identity/Nac :: ACS 5.2 Logged User Cannot Access To Admin Parameters
Sep 9, 2012After upgrade to ACS 5.2 appliance , we are trying to configure AAA between Ciscoworks and ACS. Authentication is working but authorization fails , logged user cannot access to admin parameters. I've configured attributes manually but it doesn't work.Does ACS 5.2 support integration with CiscoWorks?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: 3355 / Reset / Recover ISE Admin-CLI Password
Jul 30, 2012I have to reset/recover admin-CLI password. I had posed the question in [URL]Now as per the CLI-admin password recovery procedure at [URL] I have inserted DVD in the hardware appliance, but I don't see any prompt with these options:
"Welcome to Cisco Identity Services Engine - ISE 3355
#
To boot from hard disk press <Enter>
#
Available boot options: "
I just see login prompt ( and of course, I cannot login because I don't know the password). I am using serial console connection to the appliance.
AAA/Identity/Nac :: ACS 5.2 Creation Of Network Admin Policy For Nx-os Devices?
May 28, 2012i have acs 5.2 i need to create a network admin policy to our nx-os devices such as nexus switches, how this will be done on acs 5.2?
View 0 Replies View RelatedAAA/Identity/Nac :: ACS V5.1 View Not Showing Full Admin Logs?
May 18, 2011I am having trouble viewing all the Administration logs in ACS View. I have my Local Log Target set to a Maximum log retention period of 90 days. In ACS View I can display authentications that go back 90 days + However when I try and display the "ACS_Configuration_Audit" in View and perform a Custom query that goes back 90 days it will only display about 35 days of Admin logs.I know the logs are there because when I go into CLI and do a search like "show logging | i "ObjectType=Administrator Account" the Administration logs go back over a year.why ACS View cannot display all the Admin logs?The ACS is running v5.1.0.44 Patch 6 (Also experiencing this in a v5.2 ACS as well)
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 Using Active Directory To Manage Network Device Admin
Jun 14, 2012we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only), so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how. Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?
View 8 Replies View RelatedCisco AAA/Identity/Nac :: ISE 1.1.3 Authenticate Wireless Users / Admin Access To WLC / Switches
Mar 13, 2013Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below: [code]
Update:
1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
Cisco AAA/Identity/Nac :: ACS 5.3 / Authenticating Device Admin Users Against AD Specific Groups
Jan 28, 2013I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
Cisco AAA/Identity/Nac :: Web Admin Password Recovery For Nac Server Applicance 3355
Jul 8, 2012What is the procedure for web admin password recovery for nac server applicance 3355?
View 14 Replies View RelatedAAA/Identity/Nac :: ACS 5.2 Using AD To Manage Network Device Admin Policy Creation
May 22, 2012we managed to integrate our newly setup ACS 5.2 to our regional domain. now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full and read access respectively.
i already have the default identity policy and authorization policy with with command sets fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that each user falls under one of these groups will have a correct read/write access.
Cisco AAA/Identity/Nac :: Backup Admin Requested To Install VMWare Tools On ACS 5.3 Server
Nov 11, 2012to backup an ACS 5.3 vm running on ESXi 5.0 our backup admin requested to install vmware tools on the acs server.
View 2 Replies View RelatedCisco VPN :: For VPN Between ASA5520 And Checkpoint R55
May 16, 2013we are trying to configure the vpn with our provider we are on Asa and the use Checkpoint , vpn seem to be established on phase 1 and phase 2 too.bur when i send ping packets seem to los on tunnel and other side do not see them.Asa is after a onother firewall and outside interface of this asa is nated on this perimeter firewall.
View 5 Replies View RelatedCisco VPN :: VPN Between ASA 5505 And Checkpoint
Dec 6, 2011I have set up a VPN tunnel using pre-shared keys between my ASA5505 and a Checkpoint firewall (another company).
I can initiate the tunnel from my side, but they cannot open it from their side. We get Phase2 failures.
The other company is saying:
"Your ASA is expecting my CheckPoint to negotiate the phase 2 timeouts in both seconds and kilobytes. Enabling kilobyte timeouts is not something that is currently realistically feasible on my side, so I ask that you disable/turn off kilobyte timeouts on your side"
However, I do not have a kilobyte timeout specified in the security association for the tunnel, only a seconds.
Is there a hidden default setting I have to turn off? If so, how do I do this?
Cisco VPN :: VPN L2L ASA Checkpoint R71 Cannot Make Pin
Feb 17, 2011I have a problem with a L2L VPN between ASA and Checkpoint R71 VPN I can ping it up to the network that is behind the checkpoint but they can not make me pin.
View 3 Replies View RelatedCisco Firewall :: ASA 5505 Cannot Access 192.168.1.1 Admin New From Box
Mar 11, 2013No connection via IE of any flavour
Chrome shows Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error
I have 30 machines here, none of which have a serial port.
Cisco Firewall :: ASA5510 - Admin Console
Sep 4, 2011Our main ASA5510 is set up to failover to a second 5510, and is using the management port for that purpose. All of the other LAN ports are in use.
Currently we can manage the ASA using ASDM5.2 from and device on the LAN.
We are now going through PCI Compliance, and one of the vunerability scans has picked up the fact that the firewall appears to accept connections on SSL v2. However, if I try to set SSL to use v3 or TLS v1 only (as we don't use webVPN), I get a message that I will no longer be able to use ASDM to manage the firewall as changing to SSL v3 will 'prevent ASDM from establishing a secure connection with the ASA'
So does this mean that the ASA does use / accept SSL v2? The help files say that it will accept 'hellos' in v2 but will then try to negotiate to SSLv3 or TLS v1. It doesn't give more details about what happens next, but I would have assumed that if it can't negotiate to one of the later protocols it will drop the connection - is this correct? If that's the case I may be able to get PCI to accept it.
However, if this is not acceptiable and I have to switch to SSL v3, what options do I now have of administering the ASA through a GUI?