Cisco Firewall :: ASA 8.4 Regex Substitution

Apr 3, 2011

I would like to setup a regex substitution rule.  For example with an HTTP response if the work CAT is present I would like to have the ASA change the string to DOG. 
 
This is not the exact problem I want to solve, but it is concept.  I am running ASA 8.4.1. 

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: URL Filtering On ASA 5510 With RegEx But Getting Unexpected Results

Feb 28, 2013

I'm trying to block access to dropbox.com on our ASA5510. I have it setup and it blocks dropbox.com just fine. But it is also blocking google.com. I can't figure out why.
 
Here's my config. When it blocks google, it blocks it with the terminated by inspection engine, reason - disconnected, dropped packet.
             
regex Block_Dropbox ".dropbox.com"
access-list URL_Filtering extended permit tcp any any eq www
access-list URL_Filtering extended permit tcp any any eq https

[Code]......

View 6 Replies View Related

Cisco Firewall :: Access List Object Name Substitution ISR871 And ASA5520

May 10, 2011

I am troubleshooting a s2s vpn between an ISR871 and my ASA5520 and I suspect a problem with my crypto-maps.
 
Is there a way I can display an access-list on the ASA and have the object names substituted with their IP addresses?

View 5 Replies View Related

Cisco VPN :: ASA V9.0.2 Web VPN LDAP Macro Substitution For Home-directory

May 27, 2013

I am trying to get the LDAP homedirectory attribute mapped to the WEBVPN_MACRO substitution variables.The orginisation has multiple sites and users have their hame drives mapped on different servers. This is 100s of sites.I cannot find any relevant documentation for the WEBVPN_MACRO Substitution apart from it is unfounded!I am running ASA v9.0.2.               

View 1 Replies View Related

Cisco Firewall :: 5515x Apply On Firewall / Switches To Make Implementation Successful

Apr 22, 2013

I will be implementing a new firewall (cisco asa 5515x) on my existing  3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the  implementation successfull.  I will put my 3750x as my DMZ and my 2960s  as my inside.  The 3750x have multiple subnet and also the 2960s.which  features and technologies i need to know on those 3 products.  my 3750x  and 2960s don't have any ACL defined and most common features are vlan,  switchport, trunking, spanning-tree, stacking, vtp.how  my asa knows that my 3750x/2960s have multiple vlans.  my current  connection right now on 3750x and 2960s is just through 6 ports i  assigned as one trunk, below is my config [code]

my  2960s vlans are almost the same with my 3750x except vlan 160, 170,  192.  but of course when i put this in asa, i have to segragate vlan for  3750x (192, 100, 110,160, 170) and 2960s (130, 150).  for my 2960s  connection to the asa and since this will have big bandwidth, i will use  3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2  ports on my asa (and trunk it) connecting to my 3750x.  the one  internet ports and my one management ports on my asa will stay like  that.

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Unable To Ping From User Desktop To Firewall Inside IP

Jun 11, 2012

I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to  FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
 
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:

[Code].....

View 7 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: ASA 5585 / Identity Firewall With Single Forest / Multi-Domain

Dec 28, 2011

I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.

[URL]
 
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains.  I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent.  I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1.  I looked to see if I could see domain 2 and domain 3 users and found none.  I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2.  Instead, it shows domain1 users as domain2user1.  I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work.  I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. 

View 1 Replies View Related

Cisco Firewall :: ASA Firewall Positioning In Transparent Mode Between 6509 Core Switch And WLC

Apr 26, 2011

I do have the below setup,,
 
1. I have 6509 switch
 
2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch
 
3. On switch side i have configured the port as Trunk
 
4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).
 
I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.
 
The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall?

View 2 Replies View Related

Cisco Firewall :: Monitoring ASA 5505 Firewall Active / Standby Pair Using SNMP?

Sep 7, 2011

How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
 
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?

View 1 Replies View Related

Cisco Firewall :: IOS Zone Based Firewall Websense URL Filtering Feature On 881G

Jul 27, 2011

I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
 
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...

View 2 Replies View Related

Cisco Firewall :: SSM-4GE Firewall Has 5 DMZ Segments And Specific Segment For Internet Traffic

May 23, 2013

I was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)Usually firewall CPU flows between 30% to 40%. Rarely to 50%.
 
1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc
 
2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?
 
3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?I there any recommendation regarding configuration, best practices?

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - Users Unable To Access Internet Through Firewall

Feb 26, 2013

I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
 
HQ-ASA-01# show  running-config
: Saved
:

[Code]......

View 9 Replies View Related

Cisco Firewall :: ASA 5510 / Multiple VLANs Behind Single Firewall Segment?

Feb 5, 2012

I need to create a firewalled segment that not only separates hosts from general population, but also from each other.  The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible.  1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
 
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9 

This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).

View 1 Replies View Related

Cisco Firewall :: Support Of Jumbo Frames On ASA 5500 Firewall Appliance?

Feb 28, 2010

Can any ASA 5500 in particular the ASA5510 firewall support jumbo frames (i.e. greater than the default standard 1500 Bytes frames)?. I plan to use the ASAs to setup a point-to-point IPSec tunnel and need an Application frame of 4Kbytes intact and not segment it.I have done little checking on the Cisco Website and see it mention of Jumbo frames on the 5580 on 10Gig interface but didn't see mention 5510. 5580s are way over-kill and expensive for what I need is to run a mission critical one IPSec point-to-point with maximum of no more than 100Kbps so 5510 is perfect for me but not sure if it can carry the jumbo frame?
 
On the routers and switches it's the MTU settings and they are configurable per interface and I am OK and the circuit is T1 which the Telcos said it's OK since it's physical layer so the only unkown is the firewall.

View 2 Replies View Related

Cisco Firewall :: Number Assigned For Firewall-group On 6509 Significant

Nov 17, 2011

Is there any significance to the parameter "firewall-group" in the command

firewall vlan-group <firewall-group> <vlan-id>…<vlan-id>?
 
In other words is the series of commands
 
firewall switch 1 module 3 vlan-group 1,2
firewall vlan-group 1 100,101,102
firewall vlan-group 2 200,201,202
 
exactly equivalent to
 
firewall switch 1 module 3 vlan-group 3
firewall vlan-group 3 100,101,102,200,201,202
 
or
 
firewall switch 1 module 3 vlan-group 1,2,3
firewall vlan-group 1 100,200
firewall vlan-group 2 101,201
firewall vlan-group 3 102,202

All three of these options associate the same set of  vlans to the FWSM but using different groupings. As far as I can tell, these groupings have no functional significance either on the switch side or the FWSM side. These are simply three different ways of specifying exactly the same thing? Am I correct?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 / Enabling Firewall To Send Logging Information?

Jun 22, 2011

I have a ASA 5510 firewall with CSC module and Security Plus license for CSC module.Will you tell me how to configure my firewall to send emails to particular mail ID when someone login into the firewall or any virus attacks from outside.

View 6 Replies View Related

Cisco Firewall :: Users Behind ASA5505 Firewall Are Unable To Access Internet

Feb 24, 2011

I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.

When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.

The ASA5505 configuration is shown below.

hostname Firewall

interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10

[Code].....

View 2 Replies View Related

Cisco Firewall :: IOS Firewall Versus ASA (5505 / 5510) For Smaller Clients (less Than 50)?

Apr 24, 2012

We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510.  One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover.  I have configured a number of isr's for this and i know it works good. 

View 1 Replies View Related

Cisco Firewall :: Unable To Edit IP Based ACL Firewall Rule In RVS4000?

Apr 8, 2012

I am a novice with networks but do have a fair understanding of networks. I have a small business network, utilizing a RVS4000 router (Firmware V2.0.27)I am attempting to set up firewall rules to block certain web sites at certain times.I have successfully set up rules using source and destination ranges, to deny service 24 hours a day everyday.
 
However and here is the problem when I attempt to edit any of the rules (I want to change the time to certain hours of the day) it allows me to edit the rule but when I attempt to save I get an error message up saying there are invalid characters and it will not save the changes?create the whole thing with the changes I want it works fine, is this a known bug?

View 1 Replies View Related

Cisco Firewall :: Failover ASA 5505 - Setup Second Inside Interface On Firewall?

Feb 19, 2012

I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?

View 1 Replies View Related

Cisco Firewall :: ASA 5515X - Config Loss After Primary Firewall Reloaded

Sep 23, 2012

I have a strange issue which happened to me last weekend with two ASA 5515X on version 8.6(1)2. There was a planned power shutdown which only affected the primary firewall. Failover was configured and running successfully. The configuration was also saved after every change made. After power was shut and primary firewall went off the secondary took over like it should but unfortunately all configuration was gone. We immediately powered on the primary again but also this one lost the configuration.
 
While reconfiguring the firewall we ran into another problem. The devices won't pair although it was the correct configuration. After three times removing and adding the same failover configuration the devices accepted the failover and worked together again.
 
I went through the bug toolkit and white papers regarding ASA 5515x and this particular version but were not able to find anything.

View 2 Replies View Related

Cisco Firewall :: Setting Up ASA 5505 To Be Used As Firewall Between BT Internet And 3560 LAN Switch?

Aug 23, 2011

setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:

Network Address   Network Mask  BTnet NTE Router LAN Address
      
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.

View 21 Replies View Related

Cisco Firewall :: Ubuntu 10.04 / Firewall Starts Randomly Responding To ARP Requests For Other IPs

Aug 22, 2011

I have my firewall on IP 192.168.0.1 (for example, real IP is a class C address).  I have a web server (Ubuntu 10.04, though this happened before with an 8.04 box as well) on ip 192.168.0.101.  Everything will be functioning fine, and I won't have any issues for a while.  Then, randomly I'll have problems getting to my web server, getting disconnected from SSH sessions.  I go to one of my linux boxes and do an "arping -b 192.168.0.101" and I will get  two responses, one from my firewall and one from the box, as illustrated below.  The only way to correct the issue that I've run into is to reload the firewall, which will then behave properly again until it randomly decides to start answering ARP requests on the other IP again.
 
nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lxWARNING: interface is ignored: Operation not permittedARPING 192.168.0.101 from 192.168.0.168 eth0Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.309msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.434msUnicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.280msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.377msUnicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  2.129msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.221msUnicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx]  1.839msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.934msSent 4 probes (4 broadcast(s))Received 8 response(s)
 
Reloaded firewall
 
nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lxWARNING: interface is ignored: Operation not permittedARPING 192.168.0.101 from 192.168.0.168 eth0Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.839msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.935msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.758msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.733msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  9.568msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.931msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.283msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  1.756msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy]  2.070msSent 9 probes (9 broadcast(s))Received 9 response(s)

View 5 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
 
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
 
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 1811 / Zone-Based Policy Firewall Configuration

May 16, 2011

I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything.  I had match icmp added to the class-map, but took it out to test if icmp would fail.  It didn't.  Basically, I don't think the firewall is working at all.  Any thoughts on how I can configure this so that the policies will work between zone-pairs?

Here's an quick drawing:

Here are the configurations:

 Local router:
 hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy

[code]....

View 11 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Cisco Firewall :: ASA5512-X - ASDM In Firewall Transparent Mode

Dec 3, 2012

I would like to configure an ASA5512-X in firewall transparent mode, but I am having trouble getting ASDM to lauch when I do.
 
I have created a BVI interface with an IP address, and I hve enabled the mangement interface, but ASDM does not lauch when I enter the IP adress of the BVI I created.
 
Apprently you need to use the bridge-group command to assign an interfce to a bridge group. When I enter this command at the (config-if) prompt for Management 0/0, this command is not recognized.
 
What are the general steps for configuring the management interface to be able to launch ASDM in transparent mode?

View 1 Replies View Related

Cisco Firewall :: ASA5585-X Get One Logical Firewall With Doubled Performance

Dec 19, 2011

I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?

View 1 Replies View Related

Cisco Firewall :: Open A Port In ASA 5510 Firewall Using ASDM?

Oct 20, 2012

I would just like to to open UDP port 123 in the ASA 5510 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.4 and this port was also allowed in the inbound and outbound rule of the PDC's Firewall but it seems that it was still blocked.

View 23 Replies View Related

Cisco Firewall :: 5505 - Setting Transparent Firewall Ip Address?

Dec 22, 2011

Trying to set up a asa 5505 in transparent firewall mode. I cannot set the management ip address:
 
ciscoasa> enable
Password:
ciscoasa# config term

[Code].....

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved