Cisco Firewall :: 5500 Blocking Skype Application Doesn't Work With ASA CX
May 12, 2013
I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.
I have the following: redundant ASA5520s on v8.2(1)proxy server/web filter for blocking access to websites for staff/studentsusers who want to use SkypeCisco Catalyst 4507 corea dozen VLANs for staff/student/WiFi etcCisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN Windows desktops have direct proxy settings in IE .Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?
Like others I see on this board, we've got middle- and high-school age kids whose access to FB and other sites needs to be controlled/scheduled.
I thought the DIR-655 was great, in that it has features that, on the face of it, would seem to be ideal for blocking domains and restricting access.
My problem: I've never been able to get this to work.
I've set up schedules and created lists of domains that I want to limit access to according to the schedules, but the only constraint I've ever gotten to stick is blocking access completely to the router.
*None* of the schedule-based or website-based access controls have ever worked; I'll put the block in place to my daughter's computer's MAC address so she shouldn't be able to get to youtube or facebook, save, bounce the router, but then I go by her room and she's still busily chatting away online to her FB friends.
Based on similar posts I've seen on this forum, this may not be a unique problem.
So in a nutshell, this is what I want to do:
1) Block certain computers (identifiable by MAC address)
2) from being able to get to particular named domains (and any of their sub-domains)
3) according to a schedule that I can create and modify.
My preference would be to do this in the router, but again, responses I've seen here suggest that may not be possible.
I have the 1.0.03 firmware installed and URL blocking doesn't work. I assigned the policy to the entire address range and could still access the web site I wanted to block.
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I have a standard ADSL modem which connects to the internet. On the inside I have a few computers within my LAN.when the modem receives an incoming request from the internet for a connection to one of my LAN computers e.g. a Skype incoming call, how does the modem know which port to forward that traffic to on my internal LAN? i.e. how does the modem know which of my computers is running the skype application that will answer the incoming call? I know port forwarding normally handles this sort of thing, but in my case, I am not using any configured port forwarding rules so how does the modem know where to forward skype traffic?
I have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.
I have a server in a network DMZ (IP 192.168.40.43) need to do discovery of other IP address to update the IPAM tool. It should not be done source NAT so I´m trying to use the configuration below with Policy NAT but isn´t working:
It´s following message appears "% PIX-3-305005: No translation group found for icmp dmz8 srv: 192.168.40.43 dst inside: 10.38.36.50 (type 13, code 0)".
I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run : Saved : ASA Version 8.3(1) ! hostname CaaaA01 domain-name example.com
I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).I'm using the newest Releases:Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.3(5)
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
I see that Phase 1/2 are working with debug: Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
Then I see this "Error":
Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
I don't understand why it doens't work....I tried many templates from the net but nothings works.
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www access-list 101 deny tcp host 10.0.2.2 any access-list 101 permit tcp any any
route-map proxy-redirect permit 101 match ip address 101 set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.
what´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA# JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA# JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
FWSM/xxx03(config)# no access-list ? configure mode commands/options: alert-interval Specify the alert interval for generating syslog message 106001 which alerts that the system has reached a deny
[code]...
How can I remove a line from the access-list without clearing the entire access-list?
I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.
I just installed a TP-Link router. Everything (almost) works: PC internet, laptops internet, email, etc. An application on my PC can't communicate through the router to the internet server now. I am sure it is a port/IP address issue. But I am unable to figure out a solution. I have already changed the IP (of the computer with Windows 7) to a static IP address. I guess now I need to get the port access done. I know the ports in question from calling the vendor. I just need to get the application through the router.
I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was host1/Admin(config-cmap-http-lb)#match cipher less-than 128 So I want to know whether this is possible on ACE 20 and SW version A2(2.3). Kindly suggest a way to acheive this.
I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow. I want to drop all the connections with less than 128 bits cipher strength.
I try to configure a Cisco 5508 Wireless controller and 25 Air-lap1041 to use as VoIP and data. I read documents, manuals, etc, but the AP doesn't charge the configuration, or not conect with the Wireless Controller, why? No Radius server present, only WPA security.
I try to put a static ip in the LAP, with lwapp or capwap command, (LWAPP/CAPWAP ap ip address direccion mascara) and the AP returns "You should configure Domain and Name Server from controller CLI/GUI." and i can't change the name of the AP (Command is disabled). [code]
block skype 5.1 in my network. This version of skype doesn't need Administrator rights to be installed. In my network there are 2 ways to Internet, one filtered by a PIX 525 ver 6.3(3) and the other by a ASA 5510 ver 8.3(2). No IPS system present on my network.
I would like to set up a monitoring/site blocking system where I work (owners request) to black sites like Facebook, YouTube, etc. Are there any decent, basic freeware ones out there?
i have cisco CAP 3602e series access point to work with 5500 series controller with code 7.0i did not find VCI option 60 for this type of APs to configure DHCP. How I can let these APs will join the controller, i mean through which process DNS discovery methode and what about if i need to configure option 60 and 43 in dhcp for ap joining process to controllers.
Why the below configuration does not work? BGP exchanges routes without a problem all the time the distribute list is removed from the config. When I apply the distribute list it blocks all routes, not just those intended in the prefix list.
I have added a new NME-WAE-502-K9 in one of our remote Cisco 2811 routers. This module doesn´t boot, and it seems to be in a loop trying to boot. [code]
Can any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver Cisco Adaptive Security Appliance Software Version 9.0(2) Device Manager Version 7.1(2) Compiled on Thu 21-Feb-13 13:10 by builders System image file is "disk0:/asa902-k8.bin"
I purchased the license P/N: ASA-CSC20-250U-1Y with Description: ASA 5500 CSC-SSM-20 250-User License Only Renewal (1-year)
But I had a mistake because I need support to 500 users. Now, to solve my mistake I want to know Do I can purchase another ASA-CSC20-250U-1Y to provide the 500 users suppor?
I mean, ¿are two (2) ASA-CSC20-250U-1Y equivalent to the 500 user license listed below?P/N, ASA-CSC20-500U-1Y with Description: ASA 5500 CSC-SSM-20 500-User License Only Renewal (1-year)
I have an problem with VPN connection on notebooks. Sometimes the VPN connection works perfectly, and other times it just doesn't work at all.The Cisco VPN client software is version 5.0.04.0300. Operating system is Windows XP Prof SP2.When the connection fails, the client statistics window shows "Bytes Received: 0".Rebooting the system, has no effect
Normally, when one right clicks on a drive letter having opened 'My computer', then select 'Sharing' there is a warning about sharing a whole disk and the option to accept anyway.One laptop doesn't offer that. It just shows the admin share of C$ immediately. If I choose 'New' at the bottom of the panel a new drive letter and drive name can be entered but it can never be accessed over the network! It shows up in the workgroup but I get a network error 'Network path not found' if I try to access it. I can ping the laptop from anywhere by name and IP address.The laptop can access all the other PCs without any problem.
my LMS 4.2, syslog collector on LMS doesnt working even service syslog collector running normaly and also i saw in syslog_info is working to collect syslog from all router but not show up in dashboard monitoring.I have setting on every router to logging (ip address LMS) but on LMS no any syslog from router can collect.i did a selftest from LMS there are all PASS except nslookup fail, it is has relation with syslog not show up on dashboard?
I bought cisco AP (air-ap1142-e-k9) and we know this ap works with 802.11a/g/n same the description note on the package cartoon but my problem is when i configure that ap its work only with 802.11a/g i tries to make it works with 802.11n but fail .
I'm trying to configure Cisco CISCO881G-K9 3G router to connect to mobile network without success. The cellular interface gets up but it doesn't receive IP address. It seems that profile isn't activated and it should've been.
I've attached running config and some other information gathered from router.