Cisco Firewall :: 5500 Blocking Skype Application Doesn't Work With ASA CX

May 12, 2013

I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
 
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5520 Allowing / Blocking Skype

Sep 17, 2012

I have the following: redundant ASA5520s on v8.2(1)proxy server/web filter for blocking access to websites for staff/studentsusers who want to use SkypeCisco Catalyst 4507 corea dozen VLANs for staff/student/WiFi etcCisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN Windows desktops have direct proxy settings in IE .Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
 
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?

View 2 Replies View Related

D-Link DIR-655 :: Blocking Access To Websites Doesn't Seem To Work

Feb 26, 2012

Like others I see on this board, we've got middle- and high-school age kids whose access to FB and other sites needs to be controlled/scheduled.

I thought the DIR-655 was great, in that it has features that, on the face of it, would seem to be ideal for blocking domains and restricting access.

My problem:  I've never been able to get this to work.

I've set up schedules and created lists of domains that I want to limit access to according to the schedules, but the only constraint I've ever gotten to stick is blocking access completely to the router.

*None* of the schedule-based or website-based access controls have ever worked; I'll put the block in place to my daughter's computer's MAC address so she shouldn't be able to get to youtube or facebook, save, bounce the router, but then I go by her room and she's still busily chatting away online to her FB friends.

Based on similar posts I've seen on this forum, this may not be a unique problem.

So in a nutshell, this is what I want to do:

1) Block certain computers (identifiable by MAC address)

2) from being able to get to particular named domains (and any of their sub-domains)

3) according to a schedule that I can create and modify.

My preference would be to do this in the router, but again, responses I've seen here suggest that may not be possible.

View 1 Replies View Related

Linksys Wireless Router :: URL Blocking Doesn't Work On E4200

Oct 17, 2011

I have the 1.0.03 firmware installed and URL blocking doesn't work.  I assigned the policy to the entire address range and could still access the web site I wanted to block.

View 1 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Home Network :: Which Computers Is Running Skype Application That Will Answer Incoming Call

Feb 15, 2013

I have a standard ADSL modem which connects to the internet. On the inside I have a few computers within my LAN.when the modem receives an incoming request from the internet for a connection to one of my LAN computers e.g. a Skype incoming call, how does the modem know which port to forward that traffic to on my internal LAN? i.e. how does the modem know which of my computers is running the skype application that will answer the incoming call? I know port forwarding normally handles this sort of thing, but in my case, I am not using any configured port forwarding rules so how does the modem know where to forward skype traffic?

View 2 Replies View Related

Cisco Firewall :: PIX515 URL Filtering Doesn't Work

Nov 14, 2011

I have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
 
Here is my config:
 
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names

[code]....

View 1 Replies View Related

Cisco Firewall :: Restored ASA 5505 Now VPN Doesn't Work

Jun 3, 2013

A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
 
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.

View 3 Replies View Related

Cisco Firewall :: Policy NAT Setting Doesn't Work On PIX 6.3(3)

Nov 30, 2012

I have a server in a network DMZ (IP 192.168.40.43) need to do discovery of other IP address to update the IPAM tool. It should not be done source NAT so I´m trying to use the configuration below with Policy NAT but isn´t working:
 
nameif ethernet1 inside security100
nameif ethernet5 dmz8 security55
!
ip address inside 10.56.12.93 255.255.252.0

[Code]....

It´s following message appears "% PIX-3-305005: No translation group found for icmp dmz8 srv: 192.168.40.43 dst inside: 10.38.36.50 (type 13, code 0)".

View 10 Replies View Related

Cisco Firewall :: Internet Doesn't Work On ASA 5510 For Backup ISP

Feb 15, 2012

I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
 
CaaaA01#  sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CaaaA01
domain-name example.com

[code].....

View 2 Replies View Related

Cisco Firewall :: L2TP IPsec Doesn't Work On ASA 5510

Dec 21, 2010

I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).I'm using the newest Releases:Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.3(5)
 
My asa config just the interesting part:

crypto ipsec transform-set trans esp-3des esp-sha-hmac crypto ipsec transform-set trans mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dyno 10 set transform-set transcrypto map vpn 20 ipsec-isakmp dynamic dynocrypto map vpn interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400no crypto isakmp nat-traversal

[code]....
 
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
 
I see that Phase 1/2 are working with debug:
Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED
Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
 
Then I see this "Error":

Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
  
I don't understand why it doens't work....I tried many templates from the net but nothings works.

View 5 Replies View Related

Cisco Firewall :: 8.2 (ASA5510) / 8.4(2) (ASA5505) - Why Doesn't Route Map / Set IP Next-hop Work

Jan 2, 2012

I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
 
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
 
route-map proxy-redirect permit 101
     match ip address 101
     set ip next-hop 10.0.2.2
 
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
 
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?

View 2 Replies View Related

Cisco Firewall :: ASA5505 And Asterisk Remote Softphone Doesn't Work

Jan 5, 2012

I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
 
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
 
These are configuration lines:
 
object-group service elastix-ports
service-object udp eq sip
service-object udp gt 10000

[Code]......

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Saving Config Via Scp Doesn't Work After Updating To 8.24

Apr 5, 2011

since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.

[Code]...

View 2 Replies View Related

Cisco Firewall :: ASA5540 In Multiple-context SNMP / Icmp Doesn't Work

Jun 10, 2013

what´s going on with an asa540 configure in multiple-context mode.   I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
 
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
 
If I try to ping returns the same error:
 
CISCOASA/CONTEXTA#
 JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp  reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
   
Following attached the conf of my asa   My question is Why I can´t ping or even use snmp ?

View 5 Replies View Related

Cisco Firewall :: FWSM Version 3.2 - No Access-list Line X Doesn't Work

Dec 10, 2011

I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
 
FWSM/xxx03(config)# no access-list ?
 configure mode commands/options:
  alert-interval  Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny

[code]...
 
How can I remove a line from the access-list without clearing the entire access-list?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 CIFS Doesn't Work For Share Folder On Windows Server 2008 R2

Jun 26, 2010

I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.

View 3 Replies View Related

New TP-Link Router Blocking Application?

Jun 9, 2011

I just installed a TP-Link router. Everything (almost) works: PC internet, laptops internet, email, etc. An application on my PC can't communicate through the router to the internet server now. I am sure it is a port/IP address issue. But I am unable to figure out a solution. I have already changed the IP (of the computer with Windows 7) to a static IP address. I guess now I need to get the port access done. I know the ports in question from calling the vendor. I just need to get the application through the router.

View 1 Replies View Related

Cisco Application :: Weak Cipher Blocking In ACE20?

Jan 27, 2012

I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was host1/Admin(config-cmap-http-lb)#match cipher less-than 128 So I want to know whether this is possible on ACE 20 and SW version A2(2.3).  Kindly suggest a way to acheive this.
 
I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow.  I want to drop all the connections with less than 128 bits cipher strength.

View 5 Replies View Related

Cisco Wireless :: 5500 AP Doesn't Charge Configuration

Apr 18, 2012

I try to configure a Cisco 5508 Wireless controller and 25 Air-lap1041 to use as VoIP and data. I read documents, manuals, etc, but the AP doesn't charge the configuration, or not conect with the Wireless Controller, why? No Radius server present, only WPA security.
 
I try to put a static ip in the LAP, with lwapp or capwap command, (LWAPP/CAPWAP ap ip address direccion mascara) and the AP returns "You should configure Domain and Name Server from controller CLI/GUI." and i can't change the name of the AP (Command is disabled). [code]

View 13 Replies View Related

Cisco Firewall :: 5510 - How To Block Skype 5.1 On PIX And ASA

Oct 3, 2012

block skype 5.1 in my network. This version of skype doesn't need Administrator rights to be installed. In my network there are 2 ways to Internet, one filtered by a PIX 525 ver 6.3(3) and the other by a ASA 5510 ver 8.3(2). No IPS system present on my network.

View 6 Replies View Related

Monitoring / Website Blocking Software To Install On Work Wireless?

Mar 8, 2013

I would like to set up a monitoring/site blocking system where I work (owners request) to black sites like Facebook, YouTube, etc. Are there any decent, basic freeware ones out there?

View 1 Replies View Related

Cisco Wireless :: 3602e Access Point To Work With 5500 Controller With Code 7.0

Jun 15, 2012

i have cisco CAP 3602e series access point to work with 5500 series controller with code 7.0i did not find VCI option 60 for this type of APs to configure DHCP. How I can let these APs will join the controller, i mean through which process DNS discovery methode and what about if i need to configure option 60 and 43 in dhcp for ap joining process to controllers.

View 4 Replies View Related

Cisco Switching/Routing :: 65535-BGP Distribute List Blocking Routers / Configuration Does Not Work?

Jan 17, 2013

Why the below configuration does not work? BGP exchanges routes without a problem all the time the distribute list is removed from the config. When I apply the distribute list it blocks all routes, not just those intended in the prefix list.

[CODE]....

View 2 Replies View Related

Cisco Application :: NME-WAE-502-K9 Doesn't Want To Boot

Dec 16, 2012

I have added a new NME-WAE-502-K9 in one of our remote Cisco 2811 routers. This module doesn´t boot, and it seems to be in a loop trying to boot. [code]

View 6 Replies View Related

Cisco Firewall :: Support Of Jumbo Frames On ASA 5500 Firewall Appliance?

Feb 28, 2010

Can any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
 
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.

View 2 Replies View Related

Cisco Firewall :: ASA5505 Firewall Rule Not Blocking

Apr 1, 2013

I'm trying to troubleshoot an ASA5505.
 
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
 
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic.  I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did.  That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
 
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below.  However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
  
show ver 
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2) 
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"

[Code].....

View 4 Replies View Related

Cisco Firewall :: ASA 5500 - Get Firewall License To 500 Users?

Jan 25, 2012

I purchased the license P/N: ASA-CSC20-250U-1Y with Description: ASA 5500 CSC-SSM-20 250-User License Only Renewal (1-year)
 
But I had a mistake because I need support to 500 users. Now, to solve my mistake I want to know Do I can purchase another ASA-CSC20-250U-1Y to provide the 500 users suppor?
 
I mean, ¿are two (2) ASA-CSC20-250U-1Y equivalent to the 500 user license listed below?P/N, ASA-CSC20-500U-1Y  with Description: ASA 5500 CSC-SSM-20 500-User License Only Renewal (1-year)

View 1 Replies View Related

VPN Doesn't Work Properly?

Jan 11, 2011

I have an problem with VPN connection on notebooks. Sometimes the VPN connection works perfectly, and other times it just doesn't work at all.The Cisco VPN client software is version 5.0.04.0300. Operating system is Windows XP Prof SP2.When the connection fails, the client statistics window shows "Bytes Received: 0".Rebooting the system, has no effect

View 1 Replies View Related

New Share Doesn't Work

Jan 27, 2011

Normally, when one right clicks on a drive letter having opened 'My computer', then select 'Sharing' there is a warning about sharing a whole disk and the option to accept anyway.One laptop doesn't offer that. It just shows the admin share of C$ immediately. If I choose 'New' at the bottom of the panel a new drive letter and drive name can be entered but it can never be accessed over the network! It shows up in the workgroup but I get a network error 'Network path not found' if I try to access it. I can ping the laptop from anywhere by name and IP address.The laptop can access all the other PCs without any problem.

View 12 Replies View Related

Cisco :: LMS 4.2 Syslog Collector Doesn't Work

May 21, 2013

my LMS 4.2, syslog collector on LMS doesnt working even service syslog collector running normaly and also i saw in syslog_info is working to collect syslog from all router but not show up in dashboard monitoring.I have setting on every router to logging (ip address LMS) but on LMS no any syslog from router can collect.i did a selftest from LMS there are all PASS except nslookup fail, it is has relation with syslog not show up on dashboard?

View 5 Replies View Related

Cisco Wireless :: Air-AP1142-e-k9 Doesn't Work With 802.11n?

Jun 29, 2012

I bought cisco AP (air-ap1142-e-k9) and we know this ap works with 802.11a/g/n same the description note on the package cartoon but my problem is when i configure that ap its work only with 802.11a/g i tries to make it works with 802.11n but fail .

View 3 Replies View Related

Cisco WAN :: 881 3G Won't Work - Doesn't Receive IP Address

Jan 26, 2011

I'm trying to configure Cisco CISCO881G-K9 3G router to connect to mobile network without success. The cellular interface gets up but it doesn't receive IP address. It seems that profile isn't activated and it should've been.
 
I've attached running config and some other information gathered from router.

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved