Cisco Firewall :: ASA5510 - Common Criteria EAL4 Configuration
Jan 18, 2012
I'm trying to track down the installation and configuration procedures for the common criteria EAL4 evaluated ASA5510 but not having any joy.
The ASA Release 8.3.2 certification report [URL] identifies the required configuration documentation as the "Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Common Criteria Operational User Guidance and Preparative Procedures" but I can not find any reference to this on the Cisco web site.
So far I've only been able to locate the proceedures for the older 7.0 release. [URL]
How to locate the correct documentation needed to configure an ASA5510 to achieve the common criteria EAL4 evaluated configuration.
View 2 Replies
ADVERTISEMENT
Mar 14, 2011
I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?
View 1 Replies
View Related
Jun 5, 2013
I am trying to find out if the ASA 5515-X is EAL4 certified, and if not, what recommendations of EAL4 certified devices can I use.
View 5 Replies
View Related
Apr 25, 2012
I have 30 IP cameras with a private IP address: 10.1.1.1 – 10.1.1.30. I have a Cisco ASA 5510 firewall. I want to be able to use one public IP address, example, 50.50.50.50
With a specific port to go to a different internal camera,
Example
50.50.50.50:3001 should be NATTED to camera 10.1.1.1
50.50.50.50:3002 should be NATTED to camera 10.1.1.2
[code]....
How do I do this? I know how to create NAT… just not like this.
View 5 Replies
View Related
Aug 21, 2011
Is there a document that explains how the configurations are updated to the standby ASA and what needs to be manually added tot he ASA? I have two ASA 5510 running ASA ver 8.3(2) and ASDM 6.4(1). When I add static routes to the primary ASA the routes are not sent to the failover ASA. Is this to be expected or do I have a bug?
View 10 Replies
View Related
May 29, 2011
Have a 5510 in Routed mode, simple Static NAT to interface two networks (inside_1 is my private space, and outside_1 the larger intranet that hosts heavy traffic). outside_2 faces internet via pppoe just for VPN purposes.
It was operating fine for one year then one port broke (outside_2, internet), leaving no vpn. We followed RMA service replacement and the new unit came with upgraded SW (8.0.4) than the one the original config was created on (8.0.2).
To ease the replacement, I did downgrade the sw boot image. Then I did restore the config by tftp to the startup-config and then a reload. Everything seems to load fine.
Problem is that testing reveals some sort of issue: I can ping some of the intranet hosts but can't reach gateway, thus larger segment of hosts become unreachable. It seems as if the NAT mechanism can't find the next gateway where to hop. For debug practice, I've enabled all the icmp stuff so ping wasn't being blocked by the device.
Being given the fact that this config was up and running prior to the replacement, I've no reason to suspect any mysconfigured items (ie routes, NAT, access-list), but obviously I'm obfuscated and can't see what else I'm missing.
How is that possible that the PING only reaches certain hosts? Pinging to 10.15.5.90 works (Route is 0.0.0.0 0.0.0.0 to 10.15.5.126 (gw)), but pinging to the gateway itself doesn't (10.15.5.126) and even worse, hosts like 10.15.167.210 do not respond either.
View 2 Replies
View Related
Aug 17, 2011
I'm having a cow of a time trying to implement a NAT configuration after having upgraded our ASA5510 recently from IOS 8.2 to 8.4. The upgrade went fine, however we now have a need to add a new NAT rule and I'm not sure whether it's possible.
The upgraded NAT rule and access list works fine at allowing external access to a web server.
However we now need to NAT the SOURCE address (either to a pool or single address) of incoming http requests before forwarding the request to the server. Hence the server will see all requests as originating from a pool with a route heading back to the ASA. The basic issue is that the severs default gateway does not return to the ASA, so "tagging" the source address of external requests to an address or interface associated with the ASA should allow the server to return the traffic to the ASA. I know we shouldn't be doing it this way but we can't see any alternative.
Having read a huge amount of examples we can access the server with the above config (or Object NAT), and we can NAT incoming traffic,however we can't combine the two by having all external http requests Source Natted before forwarding to the server.
View 8 Replies
View Related
May 21, 2012
We are replacing our EOL Watchguard X1000 Firewall(s) with Cisco ASA 5510 unit - ASA Version 8.4(3). Following is the static NAT I have build and the corresponding access list.
nat (FW2Inside,FW2Outside) source static BW_XSP1_Private BW_XSP1_Public destinat
ion static BW_XSP1_Private BW_XSP1_Public
access-list FW2Outside_access_in extended permit tcp any object BW_XSP1_Public object-group DM_INLINE_TCP_1
Unable to access the server on the inside interface via the public NAT address. Can you point me in the right direction as to what I might be missing to make this work?
View 1 Replies
View Related
Mar 8, 2011
I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup?
I just configured the ISP DNS :
Dns server-group DefaultDNSname-server 194.2.0.20 name-server 194.2.0.50
View 4 Replies
View Related
Oct 3, 2011
When I try to save the configuration it displays the following error.Is it due to insufficient memory?
MPF-ASA#wr mem
ERROR: % Unrecognized commandMPF-ASA(config)# wr memBuilding configuration...Cryptochecksum: 81c514b8 9e95ee97 8b512148 b31377a4
[Code]...
View 1 Replies
View Related
Aug 15, 2011
I try to setup a ASA5510, but without success. Actually, I have Cisco1800(192.168.96.1/21) from my ISP connected to a Cisco 3825 (via port with IP 192.168.96.2) all is working good. Now I want to insert a asa firewall between ISP router and 3825.
For that, I tried a more simple config :
ISProuter (192.168.96.1/21) ---- ASA outside port(192.168.96.2/255.255.255.248) ASA INSIDE port (192.168.100.1/255.255.255.0) --- a pc with IP 192.168.100.2, netsmask 255.255.255.0, gateway 192.168.100.1
From my ASA, I can ping 192.168.96.1. but a "ping INSIDE 192.168.96.1" fail
from py pc, can ping 192.168.100.1, but not 192.168.96.1
Here, my ASA config :
ASA Version 7.0(8)host name cisco asa
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
[code]....
View 1 Replies
View Related
Nov 11, 2008
I have allways configured and run LDAP Server Groups authenticating to Active Directory Domain Controllers using LDAP, never an issue, until I hit a Domain Controller running on a Windows Server 2008. I have been unable to authenticate with the common setting with an ASA5510 running 8.0.1.
View 4 Replies
View Related
Sep 29, 2011
I have a wireless network with WLC and WCS and ACS integrated for user authentication.Web login has been enabled on the WLC and authentication of Username is done through ACS.
Q1. For specific SSID (TEST) specific username (Tom) is used for authentication,where as Tom cannot be used for authentication for any other SSID.
Q2. Weblogin page pushed by WLC is https on virtual IP 1.1.1.1 want it to be pushed through http protocol.
View 1 Replies
View Related
Oct 16, 2012
I've not found much detail regarding election of a root port other than "The root port is the switch port with the lowest path cost to the root bridge" they also expand on this a bit more for the case below, (italics)." When there are two switch ports that have the same path cost to the root bridge and both are the lowest path costs on the switch, the switch needs to determine which switch port is the root port. The switch uses the customizable port priority value, or the lowest port ID if both port priority values are the same".They explain that on S2, F0/1 is root port because it's lower than F0/2 but don't go beyond this.My understanding is that the following order is true with regards to priority of criteria (in this case), am I right?:
1. Lowest cumulative path cost back to the root bridge
2. In case of tie, the device with lowest Bridge ID
3. In case of tie, the port with the lowest received priority #
4. In case of tie, the port with the lowest local ID #
So, shouldn't this demonstration factor in the BIDs of S3 and S4 before the port priority and IDs of S2 ? For instance, if the BID of S3 was lower than that of S4, wouldn't F0/2 on S2 become the root port? I'm hoping I'm correct in this? Also I've not actually seen these four bullets in any of my official material for STP which I thought was a bit odd. I wondering if anyone else who has seen this before, considered the bridge ID aspect.
View 9 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Jul 9, 2012
how to configure IPSEC VPN, but unsuccessfully.At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink.
View 7 Replies
View Related
Apr 19, 2013
I am currently working on my first ASA5510 configuration and am running into some issues. The ASA is running 8.2(5). The network setup is as follows:Layer 3 switch with 4 VLANs with ip routing enabled.All systems are pointing to the 3560 as their default gateway. ip route 0.0.0.0 0.0.0.0 10.20.100.30 (asa)The ASA is directly connected to the L3 switch on one of the VLANs. The other VLANs are not established on the ASA, but static routes have been created for them on the ASA.I am able to ping the ASA from the switches, etc.I am able to ping the switches from the ASA When connected to VPN Client to ASA, I am unable to reach anything behind it. When at the office, I am unable to reach the internet from the ASA.The following NAT configuration is in place on the ASA;
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
View 1 Replies
View Related
Mar 2, 2011
One of our ASA5510s lost VPN site-to-site connectivity (ASA v8.2(2); ASDM v6.2(5)53) to one of our other sites last night. The checkbox for Access Interfaces on the Site-to-Site area in Connection Profiles lost its checkbox for the external interface.
View 1 Replies
View Related
Nov 2, 2011
I am facing a problem with my LMS 3.2 server. Suddenly I found there is no device reflecing in common services-> device management as well as RME also. I restarted LMS services, server multiple time, reseted casuser, demoted the server from ACS mode to local mode but no luck. However in "dcrcli" i can see all devices and exported all devices to CSV file.
After this I restored from a backup 3 month old when devices were reflecting under common server and RME device management. this also not resolved the problem.
I uninstalled LMS, performed system cleaning and reinstalled LMS 3.2. Then I imported the devices from CSV file i had. Now also the problem not got resolved . I can see devices in dcrcli but none of the device is reflecting under device management of any module.
In Dcmaservice.log i found the error" ERROR,[main],com.cisco.nm.rmeng.config.netshow.server.admin.NSCommandSetManager,getAllCommandSet,8661,Invalid MDF data file:D:/CSCOpx/lib/classpath/com/cisco/nm/cwcs/mdf/mdfdata.xml"
Hence I restored teh mdfdata.xml file from another server. However now i can see the following errors
1) in common service -> software center -> device updae -> device count are 0 for all module
2) no device is reflecting under any module
3) one progress i saw when tring to add any device if selecting device type, it is showing me the list of device type along with OID. before restoring mdfdata.xml it was also not comming.
View 4 Replies
View Related
Apr 25, 2012
We have a scheduled office move where we are consolidating 2 remote offices into one. I’ve been asked to spec out the correct size UPS to support all of the network equipment for this new office.I went to the Cisco website and I see on the datasheet for the switches and router where they talk about the wattages and BTU’s but how can I go about deciphering from that information what my total wattage and BTU will be for each switch and router?What numbers should I be looking at? For instance, we have 3 3750 48 port PoE switches. So if I look at the datasheet for that switch they have 4 different columns, one for 100% throughput power consumption, one for 5% throughput, another one for 100% throughput for max PoE load and one for 5% throughput with 50% PoE loads?Is there a common method for deremining UPS requipments? For the switches I pretty sure I need to assume max PoE load in the event every port has a phone plugged into each port.
View 3 Replies
View Related
Jul 12, 2012
how to find open udp ports of isp i want it for internet purpose
View 3 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 20, 2011
I use the Edit Identity option to change the "Display Name" from an IP to a station name, it is overwritten when a discovery has been done. I have checked the discovery settings and tried using the update DCR Display name setting to prevent this from happening, but it makes no difference.Is there something i am missing? This is on LMS 3.2?
View 2 Replies
View Related
Aug 26, 2011
I have installed lms 3.2 on server 2008 , and when I click on device update in software center I receive an error which I inserted down here ;I have to mention that I also have installed Common services patch .
View 8 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
Oct 2, 2012
i am unable to see WS-C3750E-24TD-SD OID in common services of lms version 4.0.1Is this supported in this version ? and in order to get the support of this device
View 1 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related
Nov 15, 2011
I was trying to upload image to sup x4516 V10G from Rommon using the management port but did not succeed. The steps which I did as mentioned below: [code]I got the tftp request on the tftp server but from the switch was showing access violation
View 0 Replies
View Related
Feb 15, 2013
I have recently installed acs5.2 evaluation on a vmware and i can't launch common task on authorization profiles when i click on it i have the bellow message javascript:cuesToggleTab('NetworkAccess',1,false,false
View 4 Replies
View Related
May 23, 2013
I was called into look at a customers's site that was upgraded by another vendor. They were complaining about packet loss and performance issues. I discovered they had changed from static routing and turned on EIGRP (100) and the EIGRP neighbors are not on a common subnet, they used secondary IP addressing to connect two 4506 switches to the core router. Correct me if I'm wrong, but won't this cause the neighbors to bounce and cause the degraded network performance? Don't we need to have a single common subnet for this to work? Either that or they have bridged the VLANs somehow? There is also a cable connecting the 4506 switches besides the uplink to the core router.
4506#1
May 17 21:28:55.443: EIGRP-IPv4(100): Neighbor 192.168.120.1 not on common subnet for Vlan1
May 17 21:29:05.848: EIGRP-IPv4(100): Neighbor 10.102.10.10 not on common subnet for Vlan20
May 17 21:29:17.327: EIGRP-IPv4(100): Neighbor 206.78.xxx.xx not on common subnet for Vlan20
May 17 21:29:48.291: EIGRP-IPv4(100): Neighbor 206.78.xxx.x not on common subnet for Vlan30
[code]....
View 10 Replies
View Related
May 2, 2012
i have recently tried to change the catos on a Catalyst 2948G-L3 and since then i have the following message in a loop : [code] I know that the solution would be to download a new valid image from tftp via the common prompt but what i don't undertand is why i cant access the rommon prompt.
View 5 Replies
View Related
