I would like to implement a zone based firewall on my ASA5510. Is ZBF possible on ASA? or is it strictly for routers? I know we've implementd ZBF using Sonicwall firewalls before. A little confused here as to why my ASA doesnt have the right commands.Maybe my version of ASA software is too old? It's 8.2 if i remember right.
View 11 RepliesI'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.
I have Cisco ASA5510 OS version 8.4(1), when i try to apply static command, this command is not found, the NAT issues used nat(inside,outside).
So why i can't found this command ?
The Cisco 887 doesn't support the show dsl command, what is the command that I need to use to display the speed my ADSL is operating at? On the Cisco 877 the command I use is show dsl int atm 0 but this doesn't work on the 887
View 4 Replies View RelatedI have an AIR-LAP1242AG-A-K9. Straight out of the box I thought it would have the GUI functional but this is not the case. I am brand new to Cisco products so it is taking me a while to get use to them and to TelNet but from what I have read in about 6 different manuals none have explained how I can access the configure terminal command when It doesn't show up. I am in privileged mode with access of: AP001c.588e.a266#show privilege. Current privilege level is 15.If I can't get into global configuration mode I cant enable the GUI, turn on the wireless.
View 6 Replies View RelatedI need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
route-map proxy-redirect permit 101
match ip address 101
set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
I've been trying to configure the threat-detection scanning-threat shun feature on my ASA5510 running 8.4(2) for some days now. From searching the support community I can see that I'm not the only one having a problem with this feature. The problem I'm having is that after configuring scanning-threat shun, no outside attacking hosts are being shunned. I'm using nmap to simulate a scanning attack. [code]
Is this the expected behavior of scanning-threat shun? If so this feature is of very little use to me as blocking my inside LAN is not my goal. I'm trying to protect my LAN from Internet attack. I can add the except command and exempt my LAN, but this still doesn't fix the problem of outside hosts not being shunned.
I'm having an issue with port-security on a cisco 2950 switch. The port-security is setup to user sticky mac-addresses and was working just fine. Recently when a computer was changed out and I needed to clear the security on the port it wouldn't let me.I would type clear port-security sticky int fa0/## and it would give me an error. The error would be that the sticky command doesn't exist.So I went back and type clear port-security ? and the only option was dynamic. Even if I try to take the port security off the switch it wont let me, it never shows the option for sticky.If I change the maximum number of mac-addresses allow the computer will work, but I can never clear the old addresses out.
View 3 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedI am trying to run the int range command and i am getting this error
View 19 Replies View RelatedI want to configure this:
ip vrf TEST
rd 65500:1
route-target export 65500:1
route-target import 65500:1
bgp next-hop Loopback500
on IOS-XR 4.3.0
What is the equivalent command on IOS-XR?
route-policy TEST1
set next-hop 1.1.1.1
vrf TEST
address-family ipv4 unicast
import route-policy TEST1
why the command "source cpu rp" has been removed from IOS15.0(1)SY1. I can succesfully configure the following ERSPAN on 12.2 SXJ3 but not on ios 15.x. Did not understand why cisco has descoped this command.
monitor session 10 type erspan-source
shutdown
source cpu rp rx (--- 15.0 has no such option on 6500 )
destination
[code]....
I have recently up swapped out an 877 router for an 887 router and have copied the config template accross however it will not take 3 of my commands.
AAA accounting system default stop-mly group tacas+
ip inspect name firewall cuseeme timeout 3600
dsl operating -mode auto
why using ping to test the functionality of an ACL could proove insufficient?
View 9 Replies View RelatedI am trying to change SNMPv2 community string on 6509 remotely, without using expect script. I tried EEM applet (we cannot use TCL scripts), but it does not work. EEM command "action 10 info snmp oid 1.3.6.1.2.1.1.4 get-type exact" is supposed to store the result into an environment variable. It does not. Or at least not in the one that is documented. Is it a bug? We have IOS 12.2(17r)SX5. To get EEM version i ran "sh event manager version" and got "eem: (v240_throttle) 2.21.32". Does it mean i have EEM version 2.21?
View 6 Replies View RelatedI was just brushing up few things in GNS3 and after setting up an SLA.Now when I want to set the track ip I get not option for sla why??I am running c3725-adventerprisek9-mz.124-15.T5 shouldn't it be available?
View 2 Replies View Relatedhow to apply one command "wr" to all my Cisco Devices Managed by LMS 4.2?
View 2 Replies View RelatedWe recently purchased the Cisco Router 2951 router with the IOS 15.0. I have tried to put in my VIC2-4FXO card in it. When I did show invetery, it detected the card.[code] When I tried to configure the voice port by typing voice port, it shows % Invalid input detected at '^' marker. I have tried to reset the cad and replace with another one.
View 3 Replies View RelatedWe have an issue with ACS server 5.1.0.44.X. We want make a one user with few commands: show ip route static-table(deny other show commands)configure terminal, terminal length 0 ip route (with all possible arguments). All works fine except ip route command, when i try to type it I see - "This command is not authorized".
View 1 Replies View RelatedI have recently bought cisco 2901 in order to replace it with our 1811W that we have at the moment.When I try to set a failover / backup with rtr; it seems like the function is not valid.Once I select rtr and set the object #, the reachability command is not available.Does that mean this function is not a part from the license package I have?
View 6 Replies View RelatedI am in the process of migrating a production firewall from PIX 6.3 to ASA 8.4(2). This is going to be a complete firewall rebuild and I will not be upgrading the configs because they have become out of date and very bloated. I am in the process of converting the NAT commands.[code] I am hoping these commands would be enough to replicate the previous functionality. I removed all the static identity NATs because NAT control is no longer in place so those rules are not required. Additionally I didn't re-create the rules that had NAT ID 0 or 1 because it didn't look like they were doing anything. correct way to do the static NAT commands at the bottom.
View 3 Replies View RelatedI have to created command set under "Policy Elements>Authorization and Permissions>Device Administration" for limited access user in ACS 5.3. Like i triyed to give them permission to only few show commands. I have set user priviledge 1, 7, 10 however either of the priviledge level user was able to run those commands. I works like the shell priviledge level.
View 1 Replies View RelatedI am designing a new NAT configuration for an ASA 8.4
On my PIX 8.0 configuration I needed to allow bidirectional traffic between interfaces with different security levels. For example, Inside at 100 and dmz at 50.To accomplish this in 8.0 I used a static NAT command along with any necessary ACLs.
I now need to apply this same 8.0 config for 8.4. With the static command not availablein 8.4 I am unsure of which NAT commands to use to achieve the bidirectional traffic.
I am trying to run the following commands on a 2801 router, but the commands are missing:
mls qos
mls qos map cos-dscp 0 8 16 40 32 46 48 56
The only QoS command i have in global config is (no MLS qos) :
REMOTE-ROUTER1(config)#qos ?
restore-show-output Restore old show output
shape-timer Set the HQF shape timer interval
The router is running IOS:
System image file is "flash:c2801-ipbasek9-mz.151-4.M5.bin"
Am i just running the incorrect IOS or am i missing somehting, i need to change the QoS Map for my Nortel VoIP. The VoIP phones connect to a 3750 PoE which used to conenct to a 2651XM to route VoIP and data traffic over the same copper pairs (WAN link to hub site) hence the need for a Service policy but being Nortel phones, require changing the cos-dscp map. the 2801 is going to replace the 2651XM using a new HWIC.
After logging in to the ACS, what is the command to launch the GUI on a Cisco ACS 5.x.
View 1 Replies View Relatedwhat the new command is for NAT in version 8.3?The config i have is from Version 7.2 and doesnt work on 8.3. [code]
View 12 Replies View RelatedI'm trying to set up a command set in Cisco ACS 5.3, I can't get i to work no mather who I try What I'm trying to accomplish is that some users, say Bob can run every priv. level 1 command + show run, or just to specify which commands Bob will be able to run, whatever is easiest to set up.
In my switch I have the commands:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ <--- tried diffrent apporaches whith priv level..
(and specied a tacacs server)
is the "default" under "aaa authorization commands 1x default group tacacs+" the name of the command set?
In the ACS I have specied a Authorization group and binded it to the command set, should the user have priv 15 for this to work or priv 1?(I have also specied a user and an identity group and specied ip ranges under "Network Devices and AAA Clients")
I have two C1941.The first C1941 does not support SNTP but the second C1941 supports SNTP. The only difference which I can spot is their license. The first C1941 does not have security license but the second C1941 has. What is the URL that has info on what IOS commands are supported on IPbase license, sec license..etc
First C1941
C1941_1(config)#do sh ver Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)Technical
[Code].....
I have a problem with the ACS 5.2 configuration: I am trying to use the AAA authorization to centralize privileges and commands but only the privilege level is sent to router, the command set aren't sent.
The test cenary is this:
ACS 5.2Router 2900 family IOS 15.0
The ACS is configured with:
Shell Profiles (to match with a privilege level), Command Sets (with the command list), Service Selection Rules (to set to one service) and Authorization (to assign one shell profile and one command set).
The router is configured with the follows commands:
[code]....
Attached is what i have done for command authorization for privilege level user 2
View 27 Replies View RelatedI have a 7606 router with sup 720-3bxl. IOS has been crashed recently and i can use only Roman mode now. Ive tried to upload ios image using tftp server but the command tftpdnld id not available in this router. I don't know why. Then i tried to boot from flash disk but finally it also shows an error like
System received a Software forced crash signal= 0x17, code= 0x24, context= 0x42359674 PC = 0x402d248c, Cause = 0x1020, Status Reg = 0x34008002
How to make the router in running condition.
I just purchase Cisco LAP-1042N for my office network expansion. When i console into the AP via serial. I am not able to used "configure terminal" command to set my AP name,static IP address.
I tried using "debug lwapp console cli" command it did not work. below is the capture screen of the error i am getting when assigning AP hostname. Error message : command is disable.
I'm coming from a 5505/5510 ASA to a 5512x. I see the following 7.2 commands are now set with the NAT command in 8.6:
-------------begin 7.2 commands---------------------
global (outside) 1 interfaceglobal (inside) 10 interfaceglobal (wireless) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 192.168.3.0 255.255.255.0static (inside,outside) tcp interface www 192.168.3.114 www netmask 255.255.255.255static (inside,outside) udp interface 5008 192.168.3.117 5008 netmask 255.255.255.255static (inside,outside) tcp interface 3390 192.168.3.101 3389 netmask 255.255.255.255static (inside,outside) tcp interface h323 192.168.3.118 h323 netmask 255.255.255.255
--------------end 7.2 commands----------------------