Cisco Firewall :: ASA5510 Credentials Are Invalid
Jan 4, 2012
I am setting up a new ASA. Actually it's an old 5510, but this is a new temporary install until the one we ordered comes in. Everything is working except for SSH. I have SSH open on the inside and outside interfaces and I get a prompt when I try to SSH to it from either the inside or outside. But after I put in my username and password it tells me that my credentials are invalid. I am using a local username/password, not AAA and it accepts that username and password for the console. Console and telnet (password only) both work so I can get in to make changes. When I debug SSH, the error states that my username and password are incorrect. But this happens even when I create a new, simple username/password to test. I've even gone so far as to copy/paste the username and password into the login window just to be safe (making sure I don't copy spaces, etc). Below is a copy of the SSH Debug output followed by a sanitized copy of the config. I have AAA configured for remote VPN users, but not for access to the ASA. Also, this problem existed before I created the AAA settings for the VPN users. Also, I have zeroized and regenerated the RSA keys a couple of times to no avail. [code]
View 2 Replies
ADVERTISEMENT
Feb 20, 2012
How to upgrade from LMS 3.0 December 2007 update to LMS 3.1 or LMS 3.2. The problem is the large number of C2960S-24TS-L switches that my organization has and cannot managed them.. I tried to upgrade devices through Software Center but always Ciscoworks informs me with the following message."Error while downloading package information from [URL] for the selected products. See the log file for details". Also i can not run EOL/EOS inventory report. The message is " INVREP0102: Cisco.com user credentials are invalid. Enter correct credentials." I check my credentials and is right. The server has access to www through proxy without any restrictions. In the past I've already updated devices through the software center. Also in the past i ve run EOS/EOL inventory reports.The LMS 3.0 December 2007 has the following products LMS3.0.116 May 2008
CiscoWorks Common Services3.1.102 Jul 2009, 07:44:58 EEST2.Campus Manager5.0.511 Oct 2009, 07:36:10 EEST3.CiscoView6.1.702 Jul 2009, 07:45:05 EEST4.CiscoWorks Assistant1.0.102 Jul 2009, 07:45:05 EEST5.Device Fault Manager3.0.512 Jun 2010, 07:31:48 EEST6.Internetwork Performance Monitor4.0.102 Jul 2009, 07:45:11 EEST7.Integration Utility1.7.102 Jul 2009, 07:45:14 EEST8.LMS Portal1.0.102 Jul 2009, 07:45:16 EEST9.Resource Manager Essentials4.1.102 Jul 2009, 07:45:17 EEST
View 1 Replies
View Related
Nov 7, 2012
i'm having some trouble pushing CLI templates to controllers in my lab. i get an invalid credentials error but it is random. sometimes i can push the template fine but 30 seconds later if i push the same template it will fail with error. several minutes later try it again and it fails. i have verified the credentials by reconfiguring them consistantly accrosss the devices but if the credentials were actually wrong it should fail every time, not intermittently. there are also 2 controllers i am testing this against and it is also random which controller fails. on the instances where i don't get the credential error my CLI template fully executes without error.
i am using WCS 7.0.230.0 on WIN2K and two 4400 controllers running 7.0.230.0.both controllers are configured with SNMPv3 and SSH. telnet and lower versions of SNMP are disabled.
View 1 Replies
View Related
Dec 27, 2011
ASA5510, ASA 8.0(4), ASDM 6.1(5), this is a productino ASA with plenty of lookups working through its 3 interfaces - outside, inside, dmz. The problem is a new use. I've segmented a switch on the inside network with a VLAN, and have a workstation routing through the switch to the default VLAN where all other hosts on the inside network reside so far. The ASA inside interface is the default gateway for the inside network. My test worksttion can PING inside hosts, so the static route is OK.
ASA 10.1.1.2/16 DNS Server 10.1.5.1/16
| |
------------------------------------------------------------------
|
Switch 10.1.8.20/16
[code]....
But lookups fail, Wireshark says the test workstation sends, the dns server receives and responds, but the test workstation never receives. I used the Packet Tracer tool, it gets to the last step syayin OK then finally "inspect-dns-invalid-pak". I can't find any more there to tell just what is invlid about it. So I'm trying to figure out global inspection. Here's an extract from the config:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
[code]....
View 26 Replies
View Related
Nov 13, 2011
What i want to do is simple. Being able for any member of Administrators group to authenticate on our ASA5510 based on the AD credentials.
What is correct CISCO procedure for that?
View 1 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
May 8, 2012
I have ASA 5510 with CSC-SSM-10 .ASA 5510 IOS version- 8.4.2 and CSC-SSM-10 IOS version 6.6.1162.Web filtering is working fine with respective to my configuration.From yesterday morning, i was facing issue with the sites like gmail, webmail.After giving credentials like username and password in the web page, the page is not resonding.In troubleshooting process, i removed all the acls, class maps which will direct all the traffic towards the CSC. In this scenario all my mail service sites are opening.If we apply the these ACLs and Class-Maps, only my mail service sites only affecting.
View 1 Replies
View Related
Mar 16, 2011
I've just got my hands on a Cisco PIX 515. I mainly brought it too learn and play with, i done some Cisco stuff in the past but not much.
I just need too get this up and running with a IP Address on ethernet1 (192.168.1.254) but when I run the command "name if ethernet1 inside security100" in enable mode all I keep getting is ERROR % Invalid input detected at '' maker
View 61 Replies
View Related
Nov 3, 2012
Two 5520 firewall configuration of the failover and SSH, the first remote landing SSH, can use user and password successful landing, again landing, to prompt the user name password is invalid, what is the reason?
View 4 Replies
View Related
Jul 9, 2012
Tried setting up a Shape Policy and it states its invalid. Worked fine on my 5520, just curious to know why its coming as invalid now
ciscoasa(config-pmap-c)# shape
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# shape ?
ERROR: % Unrecognized command
View 11 Replies
View Related
Apr 15, 2012
Whenever I use the following command I get an invalid input error
ciscoasa#conf t
ciscoasa (config) # crypto isakmp enable outside
ciscoasa (config) #object network net-local
ciscoasa (config-network) # subnet 192.168.101.0 255.255.255.0
^
I have reset the firewall (cisco 5505) to factory default. The marker ^ is under the subnet
View 10 Replies
View Related
Apr 28, 2011
Geting this message, having low performance and overrun errors Apr 29 13:45:59 pix-servidores %PIX-4-500004: Invalid transport field for protocol=TCP, from 188.120.243.238/80 to 174.56.110.0/0
View 3 Replies
View Related
Jan 29, 2013
I have a ASA 5520 which is intended to use as a VPN for clients using PDA, I think the PDA is a very old product that the VPN only support CHAP/ MS- CHAP, but seems it cannot connect the VPN, it will prompt "invalid username and password" (but in fact the username and password is valid when using PAP), below is the log i captured from the ASDM when the PDA is connecting the VPN. when i tried to connect it in windows PC, I also have the same issue if the VPN setting is using MS-CHAP, if I choose PAP, it can connect with no problem. But the PDA has no option of PAP. [code]
View 0 Replies
View Related
Jul 7, 2011
I have connected an ASA 5505 to an ADSL router that is able to assign the IP address and the also the DNS servers for the ISP for the outside interface. The ASA is loaded up with IOS "asa842-k8.bin"
I am using vpnclient with a hostname as oppose to an IP address to connect to a headend remote server. If I hardcode the DNS servers IPs in the "dns server-group DefaultDNS" I am able to resolve the hostname. If I then remove the IPs from the group and rely on the dhcp to assign them, when I try to resolve the name I have an error at the console "ERROR: % Invalid Hostname"
View 2 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related
Jun 20, 2011
I need to edit device information for multiple devices using feature Edit Credentials. I'm not able to overwrite all device credentials using a new set.
View 2 Replies
View Related
Jun 20, 2011
I recently tried to deploy an ACS appliance with version 5.2 installed on it for a customer.
After setting up the WLC to use the ACS as a radius server, and successfully testing connection from the ACS to the AD, I get an error message " 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate" anytime a client tries to connect to the network.
This is surprising because I had already generated a certficate for the ACS from a CA and binded the CA signed certificate with the ACS, I also specified the CA in the client machine's wireless properties and checked the "validate certificate" button.
When I tried to connect using the internal identity store, the client was successfully authenticated without any certificate issues.
View 1 Replies
View Related
May 4, 2012
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
View 4 Replies
View Related
Feb 12, 2012
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies
View Related
Jan 3, 2012
I have a problem when doing this report. If I do a device credentials report on a user defined group (40 devices) 11 of these devices fails to connect via SSH. I can make an SSH connection to all 11 devices from the CiscoWorks server, but 11 devices still fails on the report
Device Name Read Community Read Write Community SSH
1. 149.212.XXX.164 Ok Ok Failed to connect.
2. 149.212.XXX.153 Ok Ok Failed to connect.
3. 149.212.XXX.152 Ok Ok Failed to connect.
4. 149.212.XXX.151 Ok Ok Failed to connect.
5. 149.212.XXX.150 Ok Ok Failed to connect.
[code]....
View 2 Replies
View Related
Sep 7, 2011
I am trying to copy a setup from a Nortel IAX100 where the carrier provides two ATM PVC's over ADSL - one for voice (VoIP) and one for data (IP). Relevant lines from the backup of the IAX's configuration include the following for the PPP authentication over the voice circuit:
<wan_8_32>
<entry1 vccId="1" conId="1" name="Voice" protocol="PPPOE" encap="LLC" firewall="enable" nat="enable" igmp="disable" vlanId="-1" service="enable" instanceId="1509949441"/>
</wan_8_32>
<pppsrv_8_32>
<ppp_conId1 userName="" password="" serviceName="" idleTimeout="0" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="255.255.255.255" />
</pppsrv_8_32>
The null username and password for the PPP connection have me a bit stumped. Does the PPP connection not use any authenetication at all? (Is that possible/likely? How could I deubg it?) Or does does the IAX100 supply a chap/pap response with null credentails? (If so, how would I duplicate that using an instruction to a dialer interface?I am configuring an 877 with 12.4T and advanced IP services.
View 11 Replies
View Related
Dec 18, 2011
I have 2 Cisco 1141 aironets access points.
I've fallowed this tutorial: [URL]
I have an Ubuntu server running free radius authenticating against an LDAP server. Now I'm able to log into the AP via ssh with my LDAP credentials.
What I can't figure out is how do I setup the AP so when people connect to the AP's wireless they are prompted to use their LDAP credentials.
View 7 Replies
View Related
Aug 31, 2011
We have a building with 6 Cisco Airnet 1140 connected to a Cisco 2100 WLC, all tied into a nice Central Certificate server and a Win2008 NPS/Radius server on a Win2008 AD. Our trusted PC wireless access is fine, with domain laptops with certificates authenticating with DHCP all round the building. We use GP to apply settings to an AD integrated Proxy server for internet access.
The problem I now have is with guest access...
We are an education establishment, so students could turn up with anything from a laptop to an iPad to an Android phone, which immediately rules out using proxy PAC files to configure the proxy.
What I really want is a method of using the radius to verify the guest user against their existing AD user account, which I believe is possible. The one snag we have is in order to avoid the user having to configure the Internet proxy we would have to switch it to a transparent mode, which immediately restricts our ability to report on AD username, we would only have an IP address to report on, which is next to useless!
We've looked at a Gateway product (Astaro), which integrates the Filtering onto the Gateway, but the downside is that you have to use their APs, so we would be replicating existing work, whilst also managing two filters.
View 1 Replies
View Related
Aug 28, 2012
I'm trying to configure WLAN authentication on my WCS to prompt users about their credentials.I'm using a Windows 2008 NPS as Radius server but I can also use a Cisco ACS 3.3 if needed.With each setup I tried, the credentials are sent automatically to the Radius server using the Windows user session credentials.How can I force the WCS to ask for a username and password before sending them to the Radius Server ?
View 4 Replies
View Related
Jul 4, 2011
To enable our receptionits to print a guest user ticket on a small A8 ticket printer I'm looking for a way to adjust the layout and formatting of the guest account credentials page.
I have searched through the javascript and css files but with no success.
We are using WCS 7.0.172.0
View 3 Replies
View Related
May 7, 2012
I have been reading article url....wp1430161 and I am trying to get my head around the type of port authentication Methods & Modes I am going to require for a Proof of Concept using a Cisco ISE as the Authentication Server.
The switchport will have a single IP Phone in a Voice VLAN and then a Single host in a Data VLAN. Reading this article, I think I should be configuring "802.1x" authentication method using "Single Host" Mode.
However will that support a Downloadable ACL dependent on the user credentials? And will it allow a restricted ACL to be downloaded if authentication of the Machine or the User fails.? I dont really want to create & manage Guest & Remediation VLANs with thier respective ACLs on every switch in my enterprise, including our remote branch offices.
View 1 Replies
View Related
Feb 19, 2013
user can't login into domain with right credentials in active directory
View 6 Replies
View Related
Mar 14, 2011
We have to use scp on all of our network devices. It worked quite well on our routers and switches but I can't seem to get it to work for the firewalls and IPS. I enabled scp on my ASA5510 using the command "ssh scopy enable". I also ensured that a rsa key was generated and that ssh ver 2 was enabled. But I can't seem to locate the commands to actually have my firewall either copy it's configuration to a server or reach out to a server to pull down a file. We are using IOS 8.2(1).
View 1 Replies
View Related
Mar 22, 2011
I have a customer who wants to prioritze rdp traffic throgh the firewall.I know that its port 3389, but outgoing traffic is a random port number.Any smart way to catch this traffic and get it in the LLQ ?
View 3 Replies
View Related
