Cisco Firewall :: ASA 5510 - Configuration For Authentication With ACS 5.X Server
Dec 30, 2012when we are configuring ASA 5510 8.2(5) for Authenticating with ACS 5.X Server is not authentication fail error.
View 2 Replies
ADVERTISEMENT
Cisco Firewall :: ASA 5510 Server IAS First Authentication Failed
Jun 5, 2011I have a little problem with my ASA 5510 version 8.2(1) with a IAS server RADIUS for strong authentication.
I have configured a double authentication for my client to access SSL portal:
First authentication: AD serverSecondary authentication: IAS for my token SAFENET ALADDIN The server IAS is declared on a W2K3 and it's standard.
The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.
I first thought about the timeout so i tried to put a "timeout" of 15seconds for AD and IAS servers and a "retry intervall" of 3 seconds, it doesn't change much.
Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.
Cisco Firewall :: Getting ASA 5510 Radius Authentication
May 17, 2011I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
View 1 Replies View RelatedCisco Firewall :: ASA 5510 - Authentication Based On AD Credentials
Nov 13, 2011What i want to do is simple. Being able for any member of Administrators group to authenticate on our ASA5510 based on the AD credentials.
What is correct CISCO procedure for that?
Cisco Firewall :: HTTP Inspect In ASA 5510 Messes Up SVN Authentication
May 13, 2013I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
Cisco Firewall :: ASA 5510 - Multiple Pools / Group Authentication?
Apr 8, 2011can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any
View 3 Replies View RelatedCisco Firewall :: ASA 5520 SSL VPN LDAP Authentication Configuration Required
Oct 16, 2012I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.
View 7 Replies View RelatedCisco Firewall :: ASA 5510 / Add A Mail Server In The LAN And A Webmail Using Port 3000 On The Server?
Jul 24, 2011I'am using ASA 5510 and I try to understand how PAT is working.I want to add a Mail Server in the LAN and a webmail using port 3000 on the server. ( webmail must be reachable from the WAN)This is my Configuration :actually LAN users access internet using NAT with one global IP ( 194.x.x.69) which is the ASA WAN interface.
WAN ----- ISP Router ---------- FW ---------- LAN -------- Mail Server + Webmail
| (25) | (3000)
194.x.x.69 192.168.1.254 192.168.1.6
I need to forward port 3000 and port 25 from outside to inside.For example, from the WAN : [URL] must be redirect toward 192.168.1.6:3000 . What is the Correct Configuration ? And what about the Inside/Outside Traffic,Is there any configuration to add ?
Cisco Firewall :: ASA 5510 DMZ Configuration?
Dec 26, 2011I have a Cisco ASA 5510 connected to 2 private lans (1 for my HQ pc's{inside} and 1 for the worldwide mpls{outside}) It is also connected to the public internet at interface "public" and my dmz at "dmz" interface. I suspect I have a routing issue because packet-trace yields allow, the nat looks ok and the objects look ok at least to me but I'm the one with the non working config so...Basically this is the desired flow:
1. I need all traffic from the inside to be able to flow to the outside unimpeded as they are both trusted networks. (this is ok right now as I allow everything via access-list 101.)
2. I need any host on the public internet to be able to reach a server on the dmz via the pat which I set up from the "public" interface to the "DMZ" interface. The desired flow would be that the person on the internet types in [URL] and this is directed to the public interface ip which forwards to the webserver object on the dmz. (I cannot get this working any which way)
3. I need the dmz to be able to communicate with another server on the mpls via the "outside" interface when it recieves the request from the public it then checks with this other server on the outside via nat(translating the dmz range into the ip of the outside interface on the firewall)I have a default route that points to the mpls or outside interface for 0.0.0.0 0.0.0.0 via 10.x.x.1 - (and although I'm not sure I suspect this could be conflicting with traffic that needs to be sent to the "public" interface .... meaning that the firewall should dump packets bound for 0.0.0.0 0.0.0.0 to the public interface - 184.x.x.194 but I'm very reluctant to change the default route as this is in production and I'm not sure how it will affect traffic).However, I do suspect that if I changed the route from default to static as such:
route 10.0.0.0 255.0.0.0 10.x.x.1 (this would get all lan and mpls traffic to the mpls gateway) route 0.0.0.0 0.0.0.0 184.x.x.193 (this would send everything else from public to the public internet gateway)I think this is accurate but then I would bypassing my corporate internet proxy which is behind the mpls gateway at 10.x.x.1? Is there a way to get http traffic originating from the lan (10.x.x.x) to use the mpls gateway and http traffic for the dmz to use the public internet gateway at 184.x.x.193. I don't want to start causing a flow problem for the internet nor do I want to bypass my corp internet proxy.Either way I cannot get this to work, eventhough the logic checks out, I cannot get even a ping response when I allow icmp any any for testing. Note: I can ping resources on each network from the firewall, not only it's own ports in the associated network but other resources on those networks as well.
Here is the running-config:
ciscoasa# sho run
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name marcjacobs.lvmh
[code].....
Cisco Firewall :: Set Up FTP Configuration Behind ASA 5510?
Jan 24, 2013I am attempting to set up FTP behind this new CISCO ASA 5510 we just bought. I haven't configured a cisco device in 5 years, so I am having issues., i think i am close. If I FTP from outside (fixed) IP it connects and takes the password but hangs on PASV and gives no data connection below is my configuration. It is simple since I seem to have the connection inside correct. and yes you can connect to the FTP server from inside without issue.
Code...
Cisco Firewall :: ASA 5510 - ISP Configuration Possible?
Jul 24, 2012I have one Asa 5510 with base license. now we wish to add one back up ISP for VPN fail over, is this possible to configure backup ISP with this ASA 5510 and how ?
Check ASA features
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
Cisco asa up 3 hours 35 min
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Cisco Firewall :: Getting ASA 5510 QoS Configuration?
Jun 11, 2009We have some users who use citrix outside corporate network through citrix web interface.These users are high priority users and we want to prioritize the citrix traffic. I want to make sure that my configuration will fullfill our requirements. Below is the configuration i was thinking to implement.:
ASA(config)# priority-queue outside
ASA(config-priority-queue)# exit
ASA(config)#access-list CTX-QoS extended permit tcp any 10.1.1.200
255.255.255.255 eq https
ASA(config)# class-map CTX-QoS-CMAP
ASA(config-cmap)# match dscp ef
ASA(config-cmap)# match access-list CTX-QoS
ASA(config-cmap)# exit
ASA(config)# policy-map CTX-QoS-PolicyMap
ASA(config-pmap)# class CTX-QoS-CMAP
ASA(config-pmap-c)# priority
ASA(config-pmap-c)# exit
ASA(config)# service-policy CTX-QoS-PolicyMap interface outside
Cisco Firewall :: ASA 5510 DMZ Configuration?
Aug 28, 2011I have created the following config for an ASA 5510. I implemented a DMZ on it. Is this config as secure as I can get it. I want the web server in the DMZ to only be able to access port 80 and 1433 on the SQL box inside.
ASA Version 8.2(1)
!
hostname fw
domain-name xxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
Cisco Firewall :: ASA 5510 Configuration PAT For A Second Network?
Apr 30, 2013BTW, the ASA is running version 7.0 (8) and I'm doing this through the command line.I've got a group of workers coming in a couple times per week that need wireless access to 1 printer on our network and internet access; I'll deny them access to the rest of our LAN.I've already configured an AP with WPA2 on a seperate subnet and put a router between it and our network. I've setup the router to apply an ACL to allow access to the printer's IP, deny to the rest of our main subnet, and permit everything else to go to our ASA 5510 that is serving as our gateway. From a laptop connected to the access point:I'm able to ping the printer's ipI'm not able to ping other workstations or our servers, as intendedI'm able to ping the ASA's inside interface The only part I can't seem to pull off is the final part of getting the ASA to translate the IP's from the new subnet to the outside interface.
So we have:
Laptop > Wireless AP > Router with ACL > Primary LAN > ASA5510 > internet
PAT is working fine for the primary LAN, but the laptop can't hit the internet.
Cisco Firewall :: ASA 5510 Syslog Configuration?
Jul 30, 2011i want to configure asa 5510 to send syslog messages to syslog server which i placed in my inside interface. also if enableing syslog will inrease the cpu utilization or memory? the necessary configuration parts?
View 1 Replies View RelatedCisco Firewall :: Basic DMZ Configuration On ASA 5510
May 8, 2011creating a DMZ with my current configuration. Most of my configuration has been through the ASDM as I am still learning. I'm looking for a good tutorial through the ASDM to get me on my way. What I need to accomplish is this:
I have an internal GIS server which needs to have a constant database connection to an remote GIS Server which is already configured. I've got a separate VLAN setup on my 3750 switch which connects to the DMZ configured port on my ASA with a security level of 50. My GIS server has been placed in the DMZ VLAN which is accessible from my internal clients. I have a /30 Internet block which is being used for Internet and VPN. I have a separate /28 block that I'm assuming I'll need for the DMZ to work properly.
Cisco Firewall :: NAT Configuration In ASA 5510 IOS Version 8.3
Mar 8, 2011Will give configuration of NAT for my internal users with 192.168.1.0/24 with single public IP.
I new to configure IOS version 8.3.
Cisco Firewall :: ASA 5510 Configuration Woes
Apr 12, 2012I'm working on getting a ASA 5510 set up and am having major difficulties. I'm really new to ASA and coming over from Microsoft ISA. Below is my configuration, how to get this all sorted out. As of nwo it doesn't appear that any traffic is going through whether it's incoming or outgoing. [code]
View 3 Replies View RelatedCisco Firewall :: ASA 5510 ACE Syslog Configuration
Dec 5, 2012I've a problem with syslog logging on my Cisco ASA 5510 version 8.2(1). I need to:
- 1) log some ACL with warning level to log deny access.
- 2) log some ACL with informational level to log permit and deny access (notification level log only deny access and not permit access).
- 3) not log others ACL.
For 1), I configured the syslog server with warnings level and i enabled the logging rules with default level (syslog default level)
logging enable logging trap warnings logging host "interface" "host" . access-list "interface" extended permit ip any any log default.
For 2), I enabled the logging rules with specific level (informational).
access-list "interface" extended permit ip any any log 6 interval 300.
For 3), I disabled the logging rules.
access-list "interface" extended permit ip any any log disable
My problem is that the syslog logging level bypass the ACL logging level. Even if some ACL are configured with informational level, the ASA send only warnings logs to the syslog. I tried to configure the syslog default level to warnings, to remove the ACL and then put it back again with the specific logging level but I still have the problem.
Cisco Firewall :: ASA 5510 Dual ISP Configuration Required
Jul 13, 2011I have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.
View 12 Replies View RelatedCisco Firewall :: DMVPN Configuration With ASA 5510 In Front Of 877-K9 HUB?
Nov 14, 2011 I have Cisco 877-K9 router which sits behind an ASA 5510 FW. The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa. I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site. I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
Cisco Firewall :: Protocol Used For ASA 5510 Configuration Replication
Sep 5, 2011What protocol the firewall configuration replicate and monitor the interfaces?
View 1 Replies View RelatedCisco Firewall :: Export Configuration From ASA 5510 To ASA 5520?
Oct 14, 2012I have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
WebVPN
Anyconnect
Plug-ins
IPSEC tunnels
NAT
Cisco Firewall :: ASA 5510 Redundant Interface Configuration
Aug 14, 2012I have configured redundant interface on ASA 5510
interface Redundant1
description *** INSIDES NETWORK ***
member-interface Ethernet0/1 (This is a 1000Mbps Port)
member-interface Ethernet0/2 (This one is 100Mbps)
no nameif
no security-level
no ip address
[code]....
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
[code]...
It's transfer correctly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back. I issued this command again BW remain 100Mbps.
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
[ code]....
I did manually shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
Cisco Firewall :: Configuration ASA 5510 Complete Redundancy
Mar 16, 2013I want to configure ASA 5510 with complete redundancy first time. I have already studied all material from cisco web site. but there are avalible alot of material. and i'm confused about the exact my requirment material.
This is current configuration:
active# sh running-config
: Saved
:
ASA Version 8.2(5)
[Code].....
Cisco Firewall :: 5510 - ASA Active / Standby Configuration
Jun 4, 2012I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.
View 5 Replies View RelatedCisco Firewall :: ASA 5510 Context Base Configuration In HA Mode?
Jun 10, 2012configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
IP Details are below.....:
interface Ethernet0/0
nameif outside
security-level 0
[Code].....
Cisco Firewall :: 5510 Setup In Active / Standby Failover Configuration
May 8, 2012We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies View RelatedCisco Firewall :: Adding Failover ASA 5510 Back After Configuration Changes On Primary
Nov 28, 2012I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
Cisco Firewall :: ASA 5510 Displays Error - Unable To Make Any Configuration Changes
Feb 4, 2012I have turned on the aaa command authorization without applying adequate privileges to the user. I can now log in through that user but the ASA 5510 displays an error :ASA 5510# show running-config
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed.
I am unable to make any configuration changes on the firewall. Is there any default user through which I can log in and disable the aaa authorization ? if not, how can I resolve this situation ?
Cisco Firewall :: ASA 5510 - Accessing Web Server From Another One Within DMZ?
Nov 19, 2012Is this possible and if so what commands do i need to configure on my ASA 5510 for it to work.I have two web server within my DMZ and i want to access the outside url of on on the web server from the other. Currently i can access the internet from both webserver server but not the url form either webservers.
E.g. config
webserver 1 https://xxxxxx.xxxxxxx.com ---> public ip---> dmz ip
webserver 2 https://xxxxxx.xxxxxxx.com ---> public ip---> dmz ip
Cisco Firewall :: ASA 5510 - Cannot Access Web Server
Mar 23, 2013I bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work (((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address My recent Conf is as follow:
Nat Section:
==================================================================================
Dynamic:
nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>
[Code].....
Cisco Firewall :: DNS Server Group On ASA 5510
Apr 5, 2011I can not have "dns server-group" on my asa 5510, could you tell me how to get this command in my ASA 5510.
View 3 Replies View Related