Cisco Firewall :: 2911 Difference Between The Firewall Areas

Oct 4, 2011

I recently inherited a Cisco 2911, that appears to have had Firewall rules imported into Externally Defined Rules. ACL's are currently allowing/disallowing traffic. However, there are no firewall rules configured. To meet compliance we need to have Packet Lavel Inspection (Firewalled) rules. There are two areas in the router, under ACL area, and under Security. What is the difference between these two Firewall areas?Are both areas providing packet level inspection?Can I build Firewall rules (within the Security area) to replace the ACL's?

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: 2911 Router Zone Firewall And IP NAT Enable

Mar 20, 2013

I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]

View 1 Replies View Related

Cisco Firewall :: Difference Between ASA 825 And 841

May 25, 2011

I am building 20 pairs of failover firewalls for work and I was wondering from the users of the new code 8.3 - 8.4 if there are anything to watch out for.  I know NAT changes from 8.2x to the newer 8.3 - 8.4 lines but would like to hear about real world thoughts on it.
 
I am working on my CCIE-Security on the side and right now the lab uses 8.2 but I am a good 6 to 9 months out, so I wonder if there will be a change in the lab to 8.3 before I try to go take it, what code to load and use on the production boxes.

View 4 Replies View Related

Cisco Firewall :: Difference Between ASA-SM1 And FWSM

Apr 1, 2013

Can any1 tell me wat is the difference between ASA-SM1 and FWSM.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Difference Between 8.4.3.ED And 8.4.3 Interim

May 31, 2012

What is the difference between 8.4.3.ED and 8.4.3 interim? I need to upgrade my ASA 5510 from 8.4.3

View 5 Replies View Related

Cisco Firewall :: 5520 - Difference Between ASA And Software FW

Sep 26, 2011

I have ISA server 2006 sp1 and i can install many good software to management of network like gfi web Mon, soft perfect bandwidth manager and many more.
 
And I have an ASA 5520 AIP-SSM module so what security management Asa can give and what security feature it has and also so I will convert my network firewall from MS ISA to CISCO ASA.

View 1 Replies View Related

Difference Between Hardware And Software Firewall?

Jul 14, 2011

what is difference between hardware & software firewall

View 1 Replies View Related

Cisco Firewall :: NAT For A Private IP 2911

Dec 20, 2012

We have some Cisco 2911's that we are configuring 2 VPN's ( second is for redundancy) We are pretty confident on the failover VPN setup using SLA monitoring.
 
One thing we are stuck on is the redundant VPN will be setup over a 3G connection provided by verizon. Verizon issues a Private IP ( 192.168.100.X) the far end device terminating the VPN has a public ip of 183.172.22.XX , what kind of NAT translation do I need to make this work ?  Also does Cisco have any good configuration examples for VPN Failover setups for Cisco 2911's?

View 4 Replies View Related

Cisco Firewall :: ASA 5520 Difference Between Access Rules And ACL / ACE?

Nov 2, 2011

We are moving from a different vendor to ASA 5520s. So far my "training" for Cisco consists of s  Cisco press book, some white papers and guides, this website, and a bunch of mistakes. So, I have what is probably a pretty basic question for most folks.
 
What is the difference between Firewall Access Rules and ACL/ACE? And when to use which?
 
for example: on my ASA 5520s I've set up an Interface for my internal LAN: 172.16.x.x., a DMZ 192.168.2.0/24, and an interface for the Internet side. The 5520 is set up as a routing firewall betwen my internal lan, DMZ, and Internet.
 
If I want to allow my internal users Internet access for http and https would I use a Firewall Access rule?For most of my rules allowing outbound access from my 172 LAN and DMZ and inbound access to devices in my DMZ can I mostly utilize the Firewall Access Rules?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Difference Between CSC-10-PLUS And Security Plus License

Mar 3, 2011

I have ASA 5510. Is there any difference between CSC-10-PLUS license and Security Plus License...

View 3 Replies View Related

Cisco Firewall :: EIGRP Metrics On ASA 2911

Aug 4, 2011

I have two 2911 routers running 15.0(1)M4 in a redundant topology connected to an ASA 5520 firewall running 8.4 version. All gears are running EIGRP. In order to distribute the incoming traffic between the two 2911 routers, I am using 'offset-list out' on them, but in the ASA's routing table I see updates from both 2911 with the same metric, i.e. the offset-list is not working. What are the default metric weights on ASA? How can I change them? I couldn't find any known bug.

View 14 Replies View Related

Cisco Firewall :: Enabling IPS On 2911 Router?

Sep 20, 2012

I enable the IPS  on the 2911 router .  I am using the Basic IPS signatures that are inbulid on the routers . But sill it showing , that no signature is active .
 
ip ips signature-category
  category all
      retired true 
ip ips signature-category
   category ios_ips basic
      retired false

[code]....

View 1 Replies View Related

Cisco Firewall :: 2911 - NAT Any Source Address From Internet

Mar 21, 2011

I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
 
Example:
 
Source Address 11.10.10.10 ==> Destination 64.165.123.10 (nat this to 64.165.54.10) inbound.
 
So if from the internet tries to hit 64.165.123.10 we want to nat that to 64.165.54.10 both of which sit on our public space.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / 2911 - TCP Reset-O Message

Oct 30, 2011

Here's the current scenario:
 
[LAN] <---> ASA 5520 <---> Cisco 2911 <---> [Internet] <---> Server A
                         |
                         |
                     [DMZ]
 
Whenever I access a website running in "server A" (only HTTP traffic) everything works fine. The problem is that when I try to access a different service on the same server but listening on port 2000/tcp I get the TCP Reset-O message on the ASA and the workstation's browser says that "Internet Explorer cannot display the webpage".
 
A weird thing: if I access this service from a machine on the DMZ, it works fine. From the LAN (Inside) it does not work. The main difference is that from the LAN to OUTSIDE the ASA does NAT. From the DMZ to OUTSIDE it's just routed. I did another test from the LAN and the captured traffic is attached. I've been messing around with protocol inspects and firewall + NAT rules on the ASA but no luck at all.

View 5 Replies View Related

Router Or Hardware Firewall Makes Any Difference On Internet Speed?

Sep 8, 2011

do you think there would be a visible (or negligible) difference in internet speed if I used a hardware firewall as opposed to the router's inbuilt firewall?So assuming that all switches/ports were Gigabit Ethernet compatible (including the firewall itself), would it be a better idea to turn off the router/modem's firewall and use the hardware firewall, or would it be best to just stick with the router firewall?The reasoning behind this is that I'm not a big fan of Netgear... or their firewall system. After recent DDoS attacks (and IP address changes), I've decided to put a computer that was lying around to good use - Use it as a (Linux) firewall. iptables, here we come. - Yes, the Netgear router (CVG824G) has died a few times. Probably going to get upgraded to a NG CG3000, which uses (more or less) the same firewall system, I assume.

View 6 Replies View Related

Cisco Firewall :: 2911 - Immediate Gateway Dropped Ping Traffic

Jun 13, 2011

I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.
 
Policy:

policy-map type inspect FWPol_Out-In
class type inspect CCP_PPTP
  pass
class type inspect FCMAP_In-Email
  pass
class type inspect FCMAP_In-OutlookWebAccess
  inspect(code)

 %FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic  wasn't generated internally as all InZone>OutZone is inspected.

View 1 Replies View Related

Cisco Firewall :: 2911 - IOS Content Filtering Using Trend Micro

Apr 26, 2012

I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription. Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
 
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page [URL] or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
 
I know I can use the 'parameter-map type urlf policy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect -url') but how to do more with either the built in page or the redirect- url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
 
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?

View 1 Replies View Related

Cisco Firewall :: Block Gtalk On New 2911 Security Enabled Router?

May 8, 2010

I want to block gtalk on my new cisco 2911 security enabled router.

View 3 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
 
This is a single point of failure and what I need is a way to mitigate that. Under:

redundancy
application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
 
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco Firewall :: Difference Of VPN Plus License And Security Plus License ASA 5520

Oct 16, 2012

What's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.

View 1 Replies View Related

Black Areas Appear Over RDP?

Aug 22, 2011

An issue that we have run into is that on some of the machines, black areas appear over the screen at random times.These black areas disappear when the users mouse over and return when the mouse is moved back. The areas are usually small (about 30 pixels wide) and we have had to log the users off and on again.The machines that users are using are Thin Clients (HP and Wyse) and it seems to happen when certain programs are in use (Sage).

View 1 Replies View Related

Cisco Firewall :: Configure 2911 ISR To Block Peer-to-peer Traffic?

Jul 25, 2011

I see that Application protection - blocking peer-to-peer file sharing traffic is a capability of Cisco IOS Firewall. How do i configure my Cisco 2911 ISR to block peer-to-peer file sharing traffic?

View 1 Replies View Related

Cisco :: CISCO Advanced Firewall On 2911 Router Using CCP?

Dec 29, 2012

Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 0,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.

View 19 Replies View Related

Cisco Firewall :: 2911 / Site To Site VPN Using 3G USB Modem?

Sep 26, 2011

Using 3G USB modem on a Cisco router 2911 can you establish site to site VPN?

View 3 Replies View Related

Cisco Firewall :: Difference ASA5510-BUN-K9 And ASA5510-Sec-Bun-K9

Jun 6, 2012

ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?

View 3 Replies View Related

Ethernet Deployment In Metropolitan Areas To Access Networks

Jun 19, 2011

I hear a lot these days about ethernet deployment in metropolitan areas as access networks. Does this mean that there would be one big optical ethernet LAN (or MAN if you prefer) with fiber to the home connected by switches? Wouldn't this lead to massive spanning trees in large cities? One bad,configuration in the network would affect the whole network.Will all IP traffic have to travel to the core even if it is destined for an intra-MAN destination? I cannot imagine that a ARP broadcast in a large MAN is feasible.

View 1 Replies View Related

Protocols / Routing :: How To Make Sure R11 Is Able To Get OSPF Routes Of All Areas

Oct 19, 2012

How can I make sure R11 is able to get the OSPF routes of all the areas. Make sure area-278 does not receive any ospf routes from other areas as well as from ASBR routes from other areas. At the same tim, area-278 should be able send successfully RIP routes that we receive from R2 to backbone area.

View 1 Replies View Related

Cisco Wireless :: E4200 - Small Business / Wi-Fi Access In Public Areas

Oct 5, 2011

We are looking into the possibility of putting in some public wireless access in the public areas of our organization. Its a fairly small building in terms of public access and it needs to span 3 rooms in total. We have a spare BT line into the building - ADSL 2+ - and so will utilize that instead of putting them on our network. We would like to run some router based content filtering on the router - but would use open dns if this isn't possible.I could do to find a good wireless router that will cover the 3 areas . Its not a large budget project as there isn't going to be very highly utilized. We are looking Cisco kit - and have drawn up a few options. Initially we were going to go with the 1140's - but these are access points and as per my understanding aren't going to work with the phone line - as it needs to be a wireless router.
 
 
The next area was the Linksys E series (E4200) - they do look really good, and they have the content filtering which we like. What the power and range of the E series is? The only issue we might have is its a fairly old building and so some of the walls are pretty thick - one of which is wooden lined.It has the 3x3 mimo antennas and so guess it would provide some pretty good range/power. If the hardware is cheap enough then we may be able to setup the routers in repeater mode - however I'm not sure if the home devices can work that way? - I think max would be £300 - but that will be decided when I have some better numbers.

View 1 Replies View Related

Cisco Firewall :: 5515x Apply On Firewall / Switches To Make Implementation Successful

Apr 22, 2013

I will be implementing a new firewall (cisco asa 5515x) on my existing  3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the  implementation successfull.  I will put my 3750x as my DMZ and my 2960s  as my inside.  The 3750x have multiple subnet and also the 2960s.which  features and technologies i need to know on those 3 products.  my 3750x  and 2960s don't have any ACL defined and most common features are vlan,  switchport, trunking, spanning-tree, stacking, vtp.how  my asa knows that my 3750x/2960s have multiple vlans.  my current  connection right now on 3750x and 2960s is just through 6 ports i  assigned as one trunk, below is my config [code]

my  2960s vlans are almost the same with my 3750x except vlan 160, 170,  192.  but of course when i put this in asa, i have to segragate vlan for  3750x (192, 100, 110,160, 170) and 2960s (130, 150).  for my 2960s  connection to the asa and since this will have big bandwidth, i will use  3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2  ports on my asa (and trunk it) connecting to my 3750x.  the one  internet ports and my one management ports on my asa will stay like  that.

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Unable To Ping From User Desktop To Firewall Inside IP

Jun 11, 2012

I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to  FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
 
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:

[Code].....

View 7 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: ASA 5585 / Identity Firewall With Single Forest / Multi-Domain

Dec 28, 2011

I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.

[URL]
 
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains.  I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent.  I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1.  I looked to see if I could see domain 2 and domain 3 users and found none.  I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2.  Instead, it shows domain1 users as domain2user1.  I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work.  I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. 

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved