Cisco Firewall :: 1861 Zoen Based Firewall

May 1, 2011

having a very strange problem with a Cisco 1861 running - Cisco IOS Software, C1861 Software (C1861-ADVENTERPRISEK9-M), Version 12.4(24)T5
 
I have suddenly started to get performance issues with downloads and access through the ZBF. Without the firewall enabled and just having NAT enabled and routing  , downloads perform as expected - ( have been using Itunes download as test file ) - with the ZBF enabled , and the necessary rules installed to inspect & allow traffic - downloads stall - and the only way to get the downlaod to start again is to pause , then resume. The stalls are anything between the first 25 - 120 secs.
 
I have debugged and performed packet traces - but cant see anything untoward. I have also placed another router ( just a cheap Belkin )  on the ADSL service and again , the downloads work as expected.
 
one further thing to add is that when im tunneling through the firewall ( VPN ) , then downloads do work as expected - suggesting that the issue is with native HTTP(s) traffic..I have upgraded from T4 to T5 - and the symptons still remain - I am thinking that these may have been introduced when i upgraded to T4 a few monthes ago.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: IOS Zone Based Firewall Websense URL Filtering Feature On 881G

Jul 27, 2011

I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
 
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...

View 2 Replies View Related

Cisco Firewall :: Unable To Edit IP Based ACL Firewall Rule In RVS4000?

Apr 8, 2012

I am a novice with networks but do have a fair understanding of networks. I have a small business network, utilizing a RVS4000 router (Firmware V2.0.27)I am attempting to set up firewall rules to block certain web sites at certain times.I have successfully set up rules using source and destination ranges, to deny service 24 hours a day everyday.
 
However and here is the problem when I attempt to edit any of the rules (I want to change the time to certain hours of the day) it allows me to edit the rule but when I attempt to save I get an error message up saying there are invalid characters and it will not save the changes?create the whole thing with the changes I want it works fine, is this a known bug?

View 1 Replies View Related

Cisco Firewall :: 1811 / Zone-Based Policy Firewall Configuration

May 16, 2011

I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything.  I had match icmp added to the class-map, but took it out to test if icmp would fail.  It didn't.  Basically, I don't think the firewall is working at all.  Any thoughts on how I can configure this so that the policies will work between zone-pairs?

Here's an quick drawing:

Here are the configurations:

 Local router:
 hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy

[code]....

View 11 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Cisco Firewall :: 3945 / Zone Based Firewall And WAN Interface ACL?

Mar 16, 2011

I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site.  I will be terminating a site-to-site VPN tunnel on it and also configuring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets).  My question is about how to approach securing the WAN interface with the Zone based FW in place?what kind of ACL do I need beyond those allowing and restricting remote access to the outside ip? 

View 3 Replies View Related

Cisco Firewall :: 1841 - Which IOS Support Zone Based Firewall

Jan 3, 2013

I have a cisco 1841 router  , and i want to configure zone based firewall on it. But the document of zone based firewall only said that "after 12.4(6)T" can support zone based firewall. I use the ios  " c1841-ipbasek9-mz.124-15.T9.bin ", but it can't support ZFW. What kind of ios support ZFW. for example: ipbase, ent base, ip service ,advent etc.

View 2 Replies View Related

Cisco Firewall :: Zone Based Firewall Performance On ASR 1004

Sep 11, 2011

we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.Symptoms:

- sending small packets from inside zone to outside zone, for example UDP packets without payload
- this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus)
- CPU load is about 1% (yes one!) to 2% all time !! (weird)
- ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone)
- if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF)
- if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)
 
According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance.

View 5 Replies View Related

Cisco Firewall :: 2951 Zone Based Firewall

Feb 16, 2011

I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
 
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
 
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.

View 5 Replies View Related

Cisco Firewall :: Policy Based NAT On ASA 8.4.1

Feb 27, 2011

How can I configure police-based nat to allow ICMP-only traffic on asaos 8.4.1 or 8.3?On 8.3 it was very simple:global (outside) 1 interface ,access-list outside_nat_outbound extended permit icmp any any,nat (outside) 1 access-list outside_nat_outbound.

View 10 Replies View Related

Cisco :: Zone Based Firewall Really Needed

Sep 18, 2012

I'm having a few problems at the moment with a zone based firewall setup. The more I looked into the problems the more I question whether I need the ZBF or not.My network is pretty simple. 1 Internet connection and 1 LAN interface and a few site to site vpns to the router.So what do people think to having this kind of set up and not using a ZBF?

View 11 Replies View Related

Cisco Firewall :: ASA 5510 - Authentication Based On AD Credentials

Nov 13, 2011

What i want to do is simple. Being able for any member of Administrators group to authenticate on our ASA5510 based on the AD credentials.
 
What is correct CISCO procedure for that?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Cable Based Failover

Oct 2, 2011

What kind of cable is used for failover in asa 5520 ? 

View 11 Replies View Related

Cisco Firewall :: ASA 5510 - LAN Based Failover Not Working

Jun 23, 2011

I have ASA 5510 connected as shown in attached diagram.Ideally when ASA 1 is active and if I boot Switch-1, ASA-2 shood take over. But that is not happening.When I boot SW1 , ASA-2 shows "Failover LAN Interface: failover Ethernet0/0 (Failed - No Switchover)" and remains standby.Fail over works properly If ASA-1 boots.

View 7 Replies View Related

Cisco :: 2900 - Implement Zone-Based Firewall?

Dec 25, 2012

I am looking to implement Zone-Based Firewall on some 2900 series routers (2911 and 2921.)  Based on some research I've done it looks like the cisco2911-sec/k9 and cisco2921-sec/k9 bundles should be all I need.  Is this correct, or is there some other licensing component that needs to be enabled for me to implement Zone-Based Firewall?

View 2 Replies View Related

Cisco Firewall :: Does PIX 6.3 Support Dual ISP And Policy Based Routing

Mar 19, 2011

Just want to ask if a PIX firewall specific with a 6.3 OS version do support Dual WAN and PBR.

View 2 Replies View Related

Cisco Firewall :: ASA 5550 - SCTP Stream Based On FW Rules

Sep 23, 2010

I would like to know if ASA 5550 appliance is able to handle SCTP (IP protocol 135) stream in terms of allowing/filtering based on FW rules. We have a problem, though we allowed SCTP IP prot to go through an interface, however I can see that 135 packet are permanently discarded in live monitor. I found some hints here[ URL } but it still seems to me as an assumption

View 9 Replies View Related

Cisco Firewall :: Does ASA 5512-X Have Category-based Web Filter Built-in

Jun 26, 2012

Does ASA 5512-X have a category-based webfilter build-in?

View 1 Replies View Related

Cisco Firewall :: Configure MAC Address Based Routing In ASA 5540?

May 10, 2012

I have a network setup where two servers from inside need to communicate with a remote network via 2 VPN gateways. The destinations are same. However, the chalange is each server need to follow it's own VPN gateway. Since i can't configure PBR (policy based routing) in ASA, can i configure something like MAC Address based routing. I can't use destination based routing since the remote network are reachable from the both VPN Gateways.

View 1 Replies View Related

Cisco Firewall :: ASA5500-x Bandwidth Control Based On Different Users And Applications

Sep 20, 2012

I would like to know about asa 5500-x. Does it supports application visibility and granular control for different applications. Moreover bandwidth control based on different users and different applications

View 1 Replies View Related

Cisco Firewall :: Policy Based Routing To ASA5550 Inside Interface?

Mar 4, 2011

Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
 
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc. 

Here's what we are adding:
 
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution 

Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535 

Question: how to best use PBR to selectively direct traffic to the ASA inside interface?

View 4 Replies View Related

Cisco Firewall :: ASA5505 / 5510 - Prioritize Traffic Based On Destination IP?

Sep 25, 2012

we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?

View 3 Replies View Related

Cisco Firewall :: 5510 NAT Port Forward Based On Public Source IP?

Dec 27, 2011

I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.

View 3 Replies View Related

Cisco Switching/Routing :: 881 - Zone Based Firewall (Can't Access Router With CCP)

Mar 3, 2013

I'm having an issue accessing a clients router on the WAN interface with Cisco config pro. I can get CLI access with SSH without any issue.  I have port 22 and 443 allowed as management access from my public IP - SSH working fine but config pro being refused connection, Possibly a certificate issue?

View 1 Replies View Related

Cisco Firewall :: Internet Access Restriction Based On IP Addresses ASA 5500

Oct 20, 2010

One of my Clients just aquired a CISCO ASA firewall, and they would like to restrict internet access, that is they want to block internet for Junior employees while managemnet remains connected, Looking at the situation, The ASA serves as the gateway,I tried an Access list like below for one pc to test if it works but instead everyone just went off, may be i misfired somehwere.
 
Access-list 110 deny tcp any host 192.168.20.100 eq wwwAccess-list 110 deny tcp any host 192.168.20.100 eq 443Access-list 110 permit tcp any any eq wwwAccess-list 110 permit tcp any any eq 443access-group 110 in interface inside

View 11 Replies View Related

Cisco WAN :: Zone Based Firewall On ASR1002 With Xconnect Encapsulation Mpls

Apr 3, 2013

we have an ASR1002 running zone-based-firewall with 2 zones:

zone_ouside
zone_ph
 
I have a common ZFW-configuration on that interfaces, e.g.
 
<code>
class-map type inspect match-any pass_cmap_in
match access-group name pass-ipv4-in
!
class-map type inspect match-any ph_cmap_in
match access-group name ph-ipv4-in

[code]....
 
There is some basic stuff in the Access-Lists; direction ph-ipv4-in contains basically "permit ip any any" and ph-ipv4-out contains some permits for certain services, but nothing else. The pass-ipv4-in/out ACL contains particularly the udp-500/4500-stuff as well as gre/esp/ah.
 
Here are the zone-pairs:

<code>
zone-pair security zone_ph-zone_outside source zone_ph destination zone_outside
service-policy type inspect ph_pmap_in
!
zone-pair security zone_outside-zone_ph source zone_outside destination zone_ph
service-policy type inspect ph_pmap_out
!
</code>

[code]...
 
The xconnect is only built up correctly when I configure the interface in the zone_outside. The destination for the xconnect is an ASR9k. If I do not configure the zone on the L2VPN-Interface, only arp-packet are allowed to tgo through the tunnel.
 
The L2VPN connects a branch office to the network of "PH". Now the trouble starts: when they are putting a host in the branch office, DHCP via the L2VPn works fine, they can ping anything from the branch office-PC in their local network and reach all internal servers etc.
 
BUT if they want to go to a destination outside their network, it will not work properly. For example, the branch-office-PC can ping 8.8.8.8 fine, but when they try to connect to a website, e.g. www.google.com, they run into a timeout. Netstat says, that the http-syn is sent, but no ack is received.

On the router, I see:

Session 1178BAE8 (x.y.225.250:2370)=>(173.194.35.151:80) http SIS_OPENING
 
whereas x.y.225.250 is the PC connected via L2VPN in the branch office to their local lan. When they put the same machine in their local lan directly behind the router (without l2vpn) everything works fine. When I switch off the firewall on the Gi0/0/0-Interface, the PC from the branch office also reaches its destination, so for me it looks like the firewall inspects the traffic going via Gi0/0/1 and L2VPN, what in my opinion, it should not do....

View 1 Replies View Related

Cisco Firewall :: 1811 / Zone Based FW With Non-standard HTTP Port

Apr 4, 2011

We are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.As soon as I have disabled the Zone Based FW, the speed was much better.
 
I'm sure I'm missing a parameter to fix that problem but I tried many different options and I didn't find anything yet. All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.

View 6 Replies View Related

Cisco Firewall :: 5510 RADIUS Based AAA For Remote Access Tunnel Groups

Nov 22, 2011

How would I go about configuring RADIUS based AAA for remote access VPN users?  I have an OSX RADIUS server and an ASA 5510
 
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?

View 4 Replies View Related

Cisco Routers :: SR520 Not Criterion In Zone-based Policy Firewall Class-maps

Jan 16, 2012

I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.

View 0 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
 
This is a single point of failure and what I need is a way to mitigate that. Under:

redundancy
application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
 
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Track How Much Time User Spends Using Service Based On Port Number

Apr 26, 2012

I want to be able to gather some time metrics based on source IP, and destination port.  Is it possiable to track how much time a user spends using a service based on it's port number.   I have figured out how to capture all the data, and I can then look at timestamps, but I would like a better way if possible.  Can this be done at the firewall, or do I need a different appliance?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved