Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 CIFS Doesn't Work For Share Folder On Windows Server 2008 R2

Jun 26, 2010

I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.

View 3 Replies View Related

Cisco Firewall :: ASA5505 - Can't Get Home Webserver Published To Outside Interface

Aug 17, 2011

I've tried to get my head around this but beeing used to Juniper and Watchguard devices I just can't get my home webserver published to the outside interface.I have a ASA5505 with ASA version 8.4 and ASDM version 6.4 and the basic license.

Outside interface is X.X.X.32/255.255.255.248 so I have 5 static IP:s on my external interface, .34 is in use for the outside interface.

Inside 10.10.10.0/25
DMZ 10.0.0.0/24
 
I have a webserver in DMZ located at 10.0.0.253 and would like to publish it to the external IP X.X.X.35.I've tried to make the static NAT but every time I do either nothing goes in or out of the DMZ zone or you can't access the webserver from the outside interface.Right now I deleted all trials since none of them work so only the basic config is applied. Everything get's NAT:ed to the external interface .34 IP.

View 4 Replies View Related

Cisco Firewall :: ASA 5520 Cable Based Failover

Oct 2, 2011

What kind of cable is used for failover in asa 5520 ? 

View 11 Replies View Related

Cisco Firewall :: PIX515 URL Filtering Doesn't Work

Nov 14, 2011

I have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
 
Here is my config:
 
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names

[code]....

View 1 Replies View Related

Cisco Firewall :: Restored ASA 5505 Now VPN Doesn't Work

Jun 3, 2013

A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
 
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.

View 3 Replies View Related

Cisco Firewall :: Policy NAT Setting Doesn't Work On PIX 6.3(3)

Nov 30, 2012

I have a server in a network DMZ (IP 192.168.40.43) need to do discovery of other IP address to update the IPAM tool. It should not be done source NAT so I´m trying to use the configuration below with Policy NAT but isn´t working:
 
nameif ethernet1 inside security100
nameif ethernet5 dmz8 security55
!
ip address inside 10.56.12.93 255.255.252.0

[Code]....

It´s following message appears "% PIX-3-305005: No translation group found for icmp dmz8 srv: 192.168.40.43 dst inside: 10.38.36.50 (type 13, code 0)".

View 10 Replies View Related

Cisco Firewall :: ASA 5520 With CSC SSM Filter Won't Work

Sep 30, 2012

We have Cisco ASA 5520 with csc ssm 10 (product ver. Trend Micro InterScan for Cisco CSC SSM 6.6.1125.0)in Web>Global settings> URL filtering > Rules > Communications and Search> Social Networking category is set to block during work time and allow during leisure time(see the attachement), but rule for this category won't work. I mean social networking sites are always remain allowed.

View 2 Replies View Related

Cisco Firewall :: 5520 - Active FTP Does Not Work

Oct 9, 2011

I have an asa 5520 that works fine if you are using passive ftp and ftp inspection is on globally. It is not working for an active ftp session. I tried allowing all ports back to the external ip address of the internal client as a test and this did not work either.
 
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.2(3) 
policy-map Global_Policy

[Code].....
 
I read another article saying that this command needs to be on the asa "fixup protocol ftp 21"
 
If this is enabled will it show on the firewall?  How do I enable it?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 Failover Did Not Work?

Apr 17, 2011

I am having ASA 5520 with active/standby configured. Around 2 days ago, the ASA stopped responding & all of my websites stopped working. when i checked the failover status it said that failover is off. I had to manually turn the failover to start my traffic flow.During this time my secondary ASA was not responding. After some time, the primary stopped responding & secondary became active......to solve this i had to make the secondary unit as failover unit primary & the primary unit as failover unit secondary. i did get a log on ASA :-
 
“(Primary) Disabling Failover” with error message no.105001 which states the below:-
 
Error Message %PIX|ASA-1-105001: (Primary) Disabling failover.
 
Explanation In version 7.x and later, this message may indicate the following: failover has been automatically disabled because of a mode mismatch (single or multiple), a license mismatch (encryption or context), or a hardware difference (one unit has an IPS SSM installed, and its peer has a CSC SSM installed).(Primary) can also be listed as (Secondary) for the secondary unit.

View 1 Replies View Related

Cisco Firewall :: Internet Doesn't Work On ASA 5510 For Backup ISP

Feb 15, 2012

I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
 
CaaaA01#  sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CaaaA01
domain-name example.com

[code].....

View 2 Replies View Related

Cisco Firewall :: L2TP IPsec Doesn't Work On ASA 5510

Dec 21, 2010

I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).I'm using the newest Releases:Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.3(5)
 
My asa config just the interesting part:

crypto ipsec transform-set trans esp-3des esp-sha-hmac crypto ipsec transform-set trans mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dyno 10 set transform-set transcrypto map vpn 20 ipsec-isakmp dynamic dynocrypto map vpn interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400no crypto isakmp nat-traversal

[code]....
 
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
 
I see that Phase 1/2 are working with debug:
Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED
Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
 
Then I see this "Error":

Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
  
I don't understand why it doens't work....I tried many templates from the net but nothings works.

View 5 Replies View Related

Cisco Firewall :: 8.2 (ASA5510) / 8.4(2) (ASA5505) - Why Doesn't Route Map / Set IP Next-hop Work

Jan 2, 2012

I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
 
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
 
route-map proxy-redirect permit 101
     match ip address 101
     set ip next-hop 10.0.2.2
 
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
 
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?

View 2 Replies View Related

Cisco Firewall :: ASA5505 And Asterisk Remote Softphone Doesn't Work

Jan 5, 2012

I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
 
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
 
These are configuration lines:
 
object-group service elastix-ports
service-object udp eq sip
service-object udp gt 10000

[Code]......

View 1 Replies View Related

Cisco Firewall :: 5500 Blocking Skype Application Doesn't Work With ASA CX

May 12, 2013

I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
 
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Saving Config Via Scp Doesn't Work After Updating To 8.24

Apr 5, 2011

since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.

[Code]...

View 2 Replies View Related

Cisco Firewall :: Would A 1GB 5510 Memory Stick Work In A 5520

Sep 19, 2012

Are the ASA memory DIMMs created for specific models?  Would a 1GB 5510 Memory stick work in a 5520?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / Finding A VPN Client That Could Work With Honeywell PDA?

Aug 30, 2012

I got a question a about is there a Cisco VPN client that can be used with Honeywell PDA and Cisco ASA?
 
* Firewall
 
Cisco ASA 5520
 
IOS: asa832-k8.bin
  
* PDA
 
Brand: Honeywell
 
Model: Dolphin 7800
 
O.S. Windows Embedded Handheld 6.5 Professional

View 3 Replies View Related

Cisco Firewall :: How To Configure Identity In ASA 5520

Nov 4, 2011

i have an ASA 5520 with ios 8.4 and asdm 6.4.
 
my configureation is below 
my asa interfaces 
inside ip
172.16.0.0/22

[Code]..... 
 
so now i want to configure my asa to give access to user based. what configurations should i use to do so.
 
i have attached the Edit Active Directory Server  dialuge box so what should i put there in the box's

View 1 Replies View Related

Cisco Firewall :: ASA5540 In Multiple-context SNMP / Icmp Doesn't Work

Jun 10, 2013

what´s going on with an asa540 configure in multiple-context mode.   I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
 
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
 
If I try to ping returns the same error:
 
CISCOASA/CONTEXTA#
 JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp  reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
   
Following attached the conf of my asa   My question is Why I can´t ping or even use snmp ?

View 5 Replies View Related

Cisco Firewall :: FWSM Version 3.2 - No Access-list Line X Doesn't Work

Dec 10, 2011

I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
 
FWSM/xxx03(config)# no access-list ?
 configure mode commands/options:
  alert-interval  Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny

[code]...
 
How can I remove a line from the access-list without clearing the entire access-list?

View 3 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: IOS Zone Based Firewall Websense URL Filtering Feature On 881G

Jul 27, 2011

I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
 
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...

View 2 Replies View Related

Cisco Firewall :: Unable To Edit IP Based ACL Firewall Rule In RVS4000?

Apr 8, 2012

I am a novice with networks but do have a fair understanding of networks. I have a small business network, utilizing a RVS4000 router (Firmware V2.0.27)I am attempting to set up firewall rules to block certain web sites at certain times.I have successfully set up rules using source and destination ranges, to deny service 24 hours a day everyday.
 
However and here is the problem when I attempt to edit any of the rules (I want to change the time to certain hours of the day) it allows me to edit the rule but when I attempt to save I get an error message up saying there are invalid characters and it will not save the changes?create the whole thing with the changes I want it works fine, is this a known bug?

View 1 Replies View Related

Cisco Firewall :: 1811 / Zone-Based Policy Firewall Configuration

May 16, 2011

I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything.  I had match icmp added to the class-map, but took it out to test if icmp would fail.  It didn't.  Basically, I don't think the firewall is working at all.  Any thoughts on how I can configure this so that the policies will work between zone-pairs?

Here's an quick drawing:

Here are the configurations:

 Local router:
 hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy

[code]....

View 11 Replies View Related

Cisco Firewall :: 3945 / Zone Based Firewall And WAN Interface ACL?

Mar 16, 2011

I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site.  I will be terminating a site-to-site VPN tunnel on it and also configuring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets).  My question is about how to approach securing the WAN interface with the Zone based FW in place?what kind of ACL do I need beyond those allowing and restricting remote access to the outside ip? 

View 3 Replies View Related

Cisco Firewall :: 1841 - Which IOS Support Zone Based Firewall

Jan 3, 2013

I have a cisco 1841 router  , and i want to configure zone based firewall on it. But the document of zone based firewall only said that "after 12.4(6)T" can support zone based firewall. I use the ios  " c1841-ipbasek9-mz.124-15.T9.bin ", but it can't support ZFW. What kind of ios support ZFW. for example: ipbase, ent base, ip service ,advent etc.

View 2 Replies View Related

Cisco Firewall :: Zone Based Firewall Performance On ASR 1004

Sep 11, 2011

we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.Symptoms:

- sending small packets from inside zone to outside zone, for example UDP packets without payload
- this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus)
- CPU load is about 1% (yes one!) to 2% all time !! (weird)
- ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone)
- if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF)
- if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)
 
According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance.

View 5 Replies View Related

Cisco Firewall :: 2951 Zone Based Firewall

Feb 16, 2011

I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
 
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
 
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.

View 5 Replies View Related

Cisco Firewall :: 1861 Zoen Based Firewall

May 1, 2011

having a very strange problem with a Cisco 1861 running - Cisco IOS Software, C1861 Software (C1861-ADVENTERPRISEK9-M), Version 12.4(24)T5
 
I have suddenly started to get performance issues with downloads and access through the ZBF. Without the firewall enabled and just having NAT enabled and routing  , downloads perform as expected - ( have been using Itunes download as test file ) - with the ZBF enabled , and the necessary rules installed to inspect & allow traffic - downloads stall - and the only way to get the downlaod to start again is to pause , then resume. The stalls are anything between the first 25 - 120 secs.
 
I have debugged and performed packet traces - but cant see anything untoward. I have also placed another router ( just a cheap Belkin )  on the ADSL service and again , the downloads work as expected.
 
one further thing to add is that when im tunneling through the firewall ( VPN ) , then downloads do work as expected - suggesting that the issue is with native HTTP(s) traffic..I have upgraded from T4 to T5 - and the symptons still remain - I am thinking that these may have been introduced when i upgraded to T4 a few monthes ago.

View 2 Replies View Related

Dell :: Inspiron 5520 - Windows 8 Bluetooth Device Doesn't Work

Mar 28, 2013

I installed Windows 8 on my Dell laptop and my bluetooth device doesn't work properly. When Windows 7 was installed and my laptop and my Samsung Galaxy S3 were paired I could play songs from my phone on my computer. But now it is not possible on Windows 8.

View 1 Replies View Related

Dell :: Wireless 1704 In Inspiron 5520 Doesn't Work Properly

Nov 23, 2012

it keeps disconnecting and ping breaks all the time.other laptop and phones work fine.and if i go 5-10 meters away from router it gets worse.tried new drivers and bios.even tried to change settings of wireless card still problem is there.

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved