Cisco Firewall :: ASA 5540 And FTP Over Implicit TLS / SSL Client

Jan 3, 2012

I am having the EXACT same problem as this user:URL
 
Error:   GnuTLS error -53: Error in the push function.
Response:   425 Can't open data connection.
Error:   Failed to retrieve directory listing
Response:   421 Connection timed out.
 
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.

View 1 Replies


ADVERTISEMENT

Cisco VPN :: 5510 / 5540 / 5550 / 5580 - Series Firewall L2L And Client VPN

Feb 17, 2011

I want to privatize the outside interfaces of my ASA firewalls however I need a public IP address bound to an Interface to support L2L and client VPN (using the Cisco client software). What I'd like to do is route to the firewall privatized outside interface and have a DMZ interface with a public IP address on it for VPN peering. Ideally this would allow me to build rules on the outside interface limiting communication to the DMZ interface to IPSEC only. Thus VPN tunnels would traverse the outside interface and terminate on the DMZ interface giving me granular control of the peers and protocols allowed to the each the DMZ interface.  

Platforms: ASA 5510, 5540, 5550, 5580 
Versions: 7.2(4)33, 8.2(2) 

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Global Implicit Rule

Nov 24, 2011

I got a Global Implicit Rule problem with my Cisco ASA 5510. Here's my configuration : url...I created a PAT translation so that my web server (group LAN Network) could be accessed from the Internet.Although every rule seems to be ok, i got a "tcp deny access" when i try to telnet my public IP on port 80 (ping is ok).
 
Why is there only one Global Implicit Rule, and not one for each Interface (like in the older versions of ASA OS) ?

View 12 Replies View Related

Cisco Firewall :: ASA-4-106023 / Disable Logging Of Implicit Deny?

May 13, 2013

My syslog is full of %ASA-4-106023: Deny tcp src outside:---- by access-group "inbound-acl" messages.  I did not configure an explict deny for the access list to log these denies.how I can disable logging of denied connections?

View 9 Replies View Related

Cisco Firewall :: ASA Software 8.3 And 8.4 And Implicit Deny Rule In ACLs?

Aug 23, 2011

I have found this in documentation (the same statement for version 8.3 and 8.4):
 
" Access Control Implicit Deny #All access lists (except Extended access lists) have an implicit deny  statement at the end, so unless you explicitly permit traffic to pass,  it will be denied. For example, if you want to allow all users to access  a network through the ASA except for one or more particular addresses,  then you need to deny those particular addresses and then permit all  others. " 

Does it mean that now all ACLs shoud have created manualy deny ip any any rule at the end ? I have migrated one ASA to version 8.3 (no host connected and I can't test it) but after migration I don't see this rule at the end of all ACLs. Does it mean that all traffic will go throu ACLs on all interfaces ? I didn't find any information about this change in documents describing new software features [URL]

View 5 Replies View Related

Cisco Firewall :: ASA 5505 Implicit Rule Blocking Exchange 5040

Jul 23, 2011

I picked up a rather nasty bit of malware which resulted in a format and installation of Windows Ultimate 64, all well now except i cant get the wireless to work, downloaded assorted drivers from the dell support directory but to no avail, so questions are-:am i missing something obvious (windows function button for wireless does nothing)what is the correct driver for the N5040 and are there any tricks in getting it to work.

View 1 Replies View Related

Cisco VPN :: ASA 5540 AnyConnect Client Certificate Authentication

Jan 22, 2012

I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 2 Replies View Related

Cisco VPN :: ASA 5540 - Client On Windows 7 With No Remote Access

Feb 22, 2011

Recently i have received one of my collegue's laptop that is running windows 7.I have installed cisco VPN client version 5.0.07.0290 on it and  VPN client appears to connect to our ASA5540, but we are unable to connect (remote desktop) to any machines on our network as it does on our XP laptops.  Furthermore, we cannot ping any as well.  Also, while connected the Windows 7 machine is still able to access internet site as if split-tunneling was configured, which its not.
 
But after some searching , i found from "routeprint" output (shown below ) that my local internet gateway is prefered over the VPN gateway which is 10.10.4.1.Here 10.10.4.19 is the IP address assigned for VPN adaptor.
 
Network Destination        Netmask          Gateway       Interface  Metric          0.0.0.0                    0.0.0.0      192.168.1.1      192.168.1.2     25          0.0.0.0                    0.0.0.0        10.10.4.1       10.10.4.19    100
 
But after i manually add the below route on windows 7 laptop , it started connecting to remote desktop successfully.
 
route change 0.0.0.0 mask 0.0.0.0 10.10.4.1 metric 20
 
But aftersome time of idle state , it is again going back to original route state of prefering the local gateway of 192.168.1.2 and thus unable to connect to Remote Desktop again.

View 3 Replies View Related

Cisco VPN :: 5540 ANyConnect Client Certificate Authentication

Jul 13, 2011

want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
 
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 3 Replies View Related

Cisco VPN :: Configured Client-less SSL VPN For Access To ASA 5540 Internal Network

Oct 31, 2011

I have configured Clientless SSL VPN for access to ASA 5540 internal network. Still I am unable to take ssh to my core switc [code]

View 5 Replies View Related

Cisco VPN :: ASA 5540 - Client IPsec Authentication Using Digital Certificate

Sep 11, 2011

I need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
 
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL]. 
 
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.

View 8 Replies View Related

Cisco Firewall :: ASA 5505 - Cannot Add Rule Without Deleting Implicit Rule

Jan 18, 2011

what is the purpose of the "Permint all traffic to less secure networks".
 
Well I know the purpose and the technique to handle some sercurity level is nice. when I cannot add add a rule without deleting this implicit rule?
 
The technique of security level is then obsolete?

View 8 Replies View Related

Cisco Firewall :: ASA 5540 - Version Change In Firewall?

Mar 15, 2012

How are asa5540 in high availability mode upgraded for their versions.

View 1 Replies View Related

Cisco Firewall :: Polycom HdX8000 Behind ASA 5540 Firewall?

Dec 28, 2012

I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
 
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
 
Here is the problem.I get connected to the call but I cannot  the remote site cannot see and hear me.But I can see and hear them.

View 9 Replies View Related

Cisco Firewall :: ASA 5540 Upgrade From 7.1 To 8.4

Jul 16, 2012

i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2  --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
 
[URL] 
 
I need to use this feature for only three or maximum four users in company then would i really need to do  memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
 
ASA-ISB-HQ# sh version  
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)

[Code].....

View 2 Replies View Related

Cisco Firewall :: 5540 - ASA 8.2 No Nat-Control

Nov 19, 2011

ASA5540# sh run nat-control
no nat-control
 
this means higher security can talk to lower security without NAT rules
 
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
 
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
 
global (dmz) 1 interface
global (inside) 1 interface
 
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
 
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
 
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
 
And do I have to have a global statement for NAT 0 ...like below?
 
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-

View 2 Replies View Related

Cisco Firewall :: Cannot Log In To ASA 5540 ASDM After Configuration IPS

Jun 10, 2012

I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"               

View 2 Replies View Related

Cisco Firewall :: High CPU Utilization On ASA 5540

May 11, 2008

I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?

View 2 Replies View Related

Cisco Firewall :: ASA 5540 - NAT Not Working After Upgrade

Apr 26, 2011

Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
 
Here's the lowdown:
 
Our public IP for our IronPorts ends in .167.  That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
 
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts.  Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
 
After the code upgrade, the nat won't work.  No email sent or received.  Nothing but Deny's on the ASA with flags reading either "SYN" or "RST".  IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN  on interface outside
 
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.

View 6 Replies View Related

Cisco Firewall :: Reasons To Upgrade ASA 5540

Apr 29, 2012

I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?

View 4 Replies View Related

Cisco Firewall :: ASA 5540 Simulation In GNS3

Jan 26, 2013

I have to use GNS3 for simulate ASA5540.but it does not work. I've installed latest GNS3(0.8.3.1 all in one) in Win7 32bit environment, and used IOS file is asa842-k8.bin.but i can't unpack it properly. it said "Couldn't find any ZIP header in asa842-k8.bin".

View 2 Replies View Related

Cisco Firewall :: Asa 5540 8.2.3 Arbitrarily Reload

Dec 19, 2011

I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.

View 4 Replies View Related

Cisco Firewall :: ASA 5540 SSH Not Working From Outside Port

Mar 13, 2011

We are try to connect ssh via outside system (from Internet) its was not getting connected.
 
When we try to connect from outside pool of ip than its working.

View 1 Replies View Related

Cisco Firewall :: ASA 5540 IPS Module Removal

May 20, 2012

I have 2 ASA 5540's that I want to run in HA A/F.  The active ASA has an IPS module running.  I no longer need this and would rather remove it than purchase another module for the spare.  What is the process to do this safely? After removal will the HA wizard recognize that the module was removed or do I have to update the software?

View 3 Replies View Related

Cisco Firewall :: ASA 5540 / Nat Line Removed From 8.4(3) To 8.4(4) 1?

Sep 23, 2012

we have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?

View 1 Replies View Related

Cisco Firewall :: Unable To Run FTPS (FTP Over SSL) Across ASA 5540?

Mar 19, 2012

there was remote FTP - users behind ASA5540 can connect to it.
 
Now, with this ftp there is SSL/TLS encryption added and users behind this ASA can't connect to this FTPS.
 
It this possible for users behind ASA to connect to FTPSs?

View 2 Replies View Related

Cisco Firewall :: How To Load IOS From ROM Monitor In ASA 5540

Jul 20, 2011

I was looking in the CISCO webpage how to load an IOS from a tftp server but i got some questions:
 
I got the information from this webpage: [URL]
 
rommon #1> ADDRESS=10.132.44.177 <---- Which IP address? the one that I got on my firewall?

View 3 Replies View Related

Cisco Firewall :: Getting ASA 5540 Default Contexts?

Apr 19, 2011

Q1. I would like to confirm like how many total of contexts do I have by default when I purchase the ASA 5540 ? are they two contexts aside from the admin context or two contexts including the admin context?
 
Q2. can I configure the default box with High Availability using the default contexts?

View 3 Replies View Related

Cisco Firewall :: ASA 5540 - BGP Dynamic Routing

Jan 10, 2012

Does ASA 5540 support BGP routing protocol to be configured on it??
 
I'm talking about the latest versions.

View 3 Replies View Related

Cisco Firewall :: ASA 5540 To Block Software

Aug 10, 2012

I have an ASA 5540 , how can i block softwares like TeamViewer , VPN Adapters like Hamachi and all. Also , I have tried URL Blocking but i suppose ASA supports only HTTP url block and not HTTPS.

View 2 Replies View Related

Cisco Firewall :: ASA 5540 8.2 - Way To Make A Simple PAT

Sep 3, 2012

I have a cisco ASA 5540 and i cant make a simple PAT (many private IP to one public IP). Below you can find my conf.

[code]...

View 4 Replies View Related

Cisco Firewall :: ASA 5540 - Code Versions / 8.4 Or 9.x

Feb 28, 2013

I am in the process of rebuilding our ASA 5540 pair.  We are currently on 8.2 code with this set of firewalls and I was going to upgrade it to 8.4 being I have a couple of other firewalls running this code currently and am familiar with it.  That said, I saw that the 9.x code is out there now.  Are there any major advantages or caveats with the 9.0 code?  I plan to use this firewall with SSL VPN and RSA Secure ID integration for the next 2-3 years at least. Any quick pointers on these two code versions and on upgrading to 9 or staying with 8.4 line.

View 2 Replies View Related

Cisco Firewall :: WCCP Redirection On ASA 5540?

Apr 3, 2013

I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK,  there is Here_I_Am and I_See_You packets
  
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B
 WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B
 WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C
 WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C
 WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
  
From show WCCP i saw that WCCP engine and ASA were detected
 
FW# sh wccp 
Global WCCP information:
Router information:
Router Identifier:                   200.X.X.X
Protocol Version:                    2.0

[code]....

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved