I am support one client for, whom falls under Security scans mandatory for new implementation of ASA 5520 device. The client uses Nessus Scan and the test results are attached.The Nessus scanner hit on 1 Medium vulnerabilities.
View 2 Replies
I've been reading over the documentation, but only see instructions for using a self-signed certificate for SSL. Or even trusted certificates between LMSes. But I can't seem to find anything on LMS 4.0 using a Certificate Authority. And I have a security requirement to do so.
Is this possible in LMS 4.0?
What are the limitations on the max number of concurrent HTTPS connections when using Auth Proxy for HTTPS traffic on a Cisco ASA 5520.
1) What is the max number of concurrent Authentications that the ASA can perform (HTTPS)?
2) Once Authenticated. What is the max number of concurrent HTTPS Authenticated connections to the back end HTTPS server.
Can I import a self signed certificate from a Cisco 871 router to a Cisco ASA 5505? The 5505 replaced the 871 and I have a VPN that goes to another company that we have a connect to. The device on the other end is a VPN concentrator ( I do not have access to modify this device without going through multiple channels.) I only need to mimic this device for the site to site VPN tunnel only. It appears that there are no pre-shared keys only a self signed certificate.
View 1 Replies View RelatedOur ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.We have exported it to have a Trusted Certificate for client machine.
This certificat has been installed on a laptop.The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)I have this error in the log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain.I think the Access Policies (identity & authorization) are misconfigured: [code]
I have just renewed the self signed certificate on a v5.2 ACS and expiry date of 2013 is showing in the ACS GUI. However, when I start an ACS Admin session and view the certificate information in the browser it is showing the old expiry date of 2010. I have tried this in IE and Firefox and the certificate information is the same.
Is there a way I can get the browser to pick the new certificate ?
I have two Cisco WLC 5508 controllers that I'm trying to set-up for our new corporate WLAN. I've gone through most of the configuration fine but have ran into an issue uploading a signed certificate to one of my controllers. I should point out that I have managed to upload the certificate successfully to one of the controllers, I just can't seem to upload it to the second.The issue is as follows:
- I've logged into the controller, gone to Security -> Web Auth -> Certificate -> Download Certificate
- I've specified my tftp server details and selected apply
- the process begins and I can see through my tftp client that the controller is attempting to copy and install the certificate
- The controller tries to install the certificate but fails, reporting the same
I have a doubt about CiscoWorks. I need to generate the self-signed certificate with a key of 2048 bits to generate a CA with VeriSign. CiscoWorks do this automatically with a key of 1024 bits and I do not find a form to elect a a diferent key. Is it possible to generate a certificate with 2048 bits key?
Another problem is that I have CiscoWorks installed on Solaris. Many times at day the web application does not work and the only way to recuperate it is with the command "init 6" and I have to way 15 minutes until I can have access again. Why is produced this error? Who can I fit it?
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself.
View 2 Replies View RelatedRight now the Self-signed Certificate on my RV180W generates errors as it was issued to the MAC address instead of the current IP address. Need instructions on Generating a Self-Signed certificate (or 1 from my Windows Server 2012 Certification Authority) that will eliminate the constant barreage of certificate errors I get when trying to access the management interface of my device? the internal domain is mythos.local, netbios name of MYTHOS, and the device name in question is surtur.
View 2 Replies View RelatedThe establishment of IPSEC tunnel between the RV220 and QuickVPN client works properly with the security certificate of origin of the router.RV220 V1.0.3.5QuickVPN V1.4.2.1
Since the establishment of a security certificate self-signed, the RV220 and QuickVPN client refuses to work together .
Here are the log of the QuickVPN client
2011/09/27 12:45:14 [STATUS]OS Version: Windows 7
2011/09/27 12:45:14 [STATUS]Windows Firewall Domain Profile Settings: ON
2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
[code].....
I have configured SSLVPN on a asa5520 with aaa and certificate authentication.Both authentication works fine,but I find the client users can use any others' certificate to authentication,I want to binding the aaa account to user's certificate.everyone must use their own certificate.
View 1 Replies View RelatedI would like to ask whether SHA1 signature algorithm is available for FWSM. We use FWSM code version 3.2(22) in our production network where only MD5 signature algorithm is available. There is a need to upgrade to stronger algorithm SHA1. From my experience I know that this is possible on ASA firewalls running on 8.4. codes. Certificates generated on code 8.4. automatically use SHA1 with RSA Encryption.
Is it possible to have Signature algorithm SHA1 on FWSM? If so, in which code version?
hba-pf-a# sh crypto ca cert
Certificate
Status: Available
Certificate Serial Number: caf44050
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
[Code] .....
we currently have a remote access asa setup using Anyconnect with self signed certificate, and several users in the certificate database as we are using radius and certificate for authentication.
I want to purchase and obtain a trusted CA signed certificate (such as Verisign) and replace the current self signed cert.
My question is will I have to reset the current CA server of the ASA and replace the certificate user database? ie start from scratch.
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
I am running Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.4(1). This will be used as a VPN gateway. I am having troubles installing our cert. I can install the cert, but it never connects witht he correct key. It references trustpoint0 when it is trustpoint1. I deleted all trustpoints and it still happens. That.vpngw4# sh run | begin rustcrypto ca trustpoint ASDM_TrustPoint0crl configurecrypto ca trustpoint ASDM_TrustPoint1keypair ASDM_TrustPoint0crl configurecrypto ca certificate chain ASDM_TrustPoint1certificate 0f8e62 308203d5.8c quitI deleted both trust points and when I do a sh run both are gone, but when I then import the cert (via ASDM) it creates trustpoint0 again.
View 3 Replies View RelatedI am trying to setup a remote-access vpn (client device is an iphone or PC) on asa 8.0 with a transform-set without encryption and without hashing ( crypto ipsec transform-set noenc esp-null esp-none ). In this scenario, it does not work and all gives me "phase 2 mismatch" ...below is the debug of isakmp and ipsec.
i tried to change the transform set by using hashing without encryption (crypto ipsec transform-set myset esp-null esp-sha-hmac). it worked on the PC but not the iphone. my target is for the iphone to work.
ciscoasa# sh cryciscoasa# sh crypto isa sa
There are no isakmp sasciscoasa# ter monciscoasa# May 29 23:33:44 [IKEv1]: IP = 91.232.100.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 741May 29 23:33:44 [IKEv1 DEBUG]: IP = 91.232.100.3, processing SA payloadMay 29 23:33:44 [IKEv1 DEBUG]: IP = 91.232.100.3, processing ke payloadMay 29 23:33:44 [IKEv1 DEBUG]: IP = 91.232.100.3, processing ISA_KE payloadMay 29 23:33:44 [IKEv1 DEBUG]: IP = 91.232.100.3, processing nonce payloadMay 29 23:33:44 [IKEv1 DEBUG]: IP = 91.232.100.3, processing ID payloadMay 29 23:33:44 [IKEv1
[code]....
how to perform Linear Hashing in databases on given values?
View 2 Replies View RelatedI have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
View 4 Replies View RelatedDue to network security audit we are interesded in encryption algorithm used for authentication of administrator and operators in Starent Networks ST40 Intelligent Mobile Gateway. To be more clearly, we need to know what type of hash is used for password storing when "showsecrets" command is omitted.
View 2 Replies View Relatedwe use LMS 4.2.2 to manage our Cisco devices. At the moment all devices are managed with snmpv2. I´ve picked one Catalyst 2960-24TT-L Version 12.2(25)SEE3 and configured snmpv3
Here´s the output of show snmp user:
User name: ciscoworks
Engine ID: 8000000903000022BD29EF40
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: LMS
Now, in LMS under Admin->Network->Device Credentials Settings-> i created a new credential set "snmpv3" with the correct user/password and following settings: AuthPriv (enabled) Auth Algorithm MD5 Privacy Algorithm DES (because the 2960 12.2(25)SEE3 doesn´t support any other alorithm).
I´ve edited the credentials and assigned the new set to that device. Now to test the snmpv3 credentials i´ve started an Device credential verification job an chose snmpv3 only. But every time the job failes with the error
Wrong Privacy Algorithm.
if there is a wireless adhoc network and i want to provide the security to the data which i want to transmitt over this network but i dont want to encrypt the whole data but to apply encryption in a part of data which conatins the important information.
View 1 Replies View RelatedWith regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies View RelatedThere is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
View 1 Replies View RelatedOne of our customers has an ASA5510 with CSC SSM-10 security module. The software version of the module is 6.6.1125.0.Is it possible to do https filtering with this module ? The customer is complaining that this is not possible...from Cisco I've read the following:
• HTTPS Filtering
– Able to allow or block HTTPS traffic.
– Supports group-based and user-based HTTPS policies.
– Includes URL blocking/URL exception list support for HTTPS domains.
I am running a Cisco ASA 5510 with Trend Micro Interscan. We have it set up to filter https except for a handful of sites. It is filtering the ones we don't want ie: facebook, and youtube. Though it is causing all other https to slow to a crawl. Therefore some sites it times out on us. What should we be looking for to change so it isn't slowing the allowed sites down?
Version numbers
ASA - 8.4(3)
ASDM - 6.4(3)
Trend - 6.6.1125
I'm trying to access my ASA 5505 by https://192.168.1.1 but I can't. I'm using Windows 7. I already have installed ASDM and I can enter in the box by ASDM. I am preparing to reformat my PC and I'm afraid that I won't be able to access my ASA if I do.
The Mozilla show the message: An error occurred during a connection to 192.168.1.1.Cannot communicate securely with peer: no common encryption algorithm(s).(Error code: ssl_error_no_cypher_overlap)
Will there be some pause in traffic on formed ether channel interfaces (4500E switch), when i will change the default ether channel load balancing method to src-dst-port (or any other non-default method)?
View 1 Replies View Relatedi am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? how to accomplish the redirect for a single site. 8.2.4 is current code
View 4 Replies View RelatedI am setting up an ASA 5550 8.4 and asdm 6.4. Last thing I am missing is to get the static nat rule done for https. Done it with asdm and cli and always end up with "error: nat unable to reserve the port". Looked around the Net so far and changed the http enable port to 4433. ASDM access is only configured for inside and mgmt port. Disabled under RA VPN all checkboxes in clientless ssl and any connection profiles since IKEv1 is used for vpn access.
View 2 Replies View RelatedRunning ASA 5510 with code 8.3 in it.We have our few https portal and OWA websites in HO.We access these sites from the network behind the ASA.All works perfectly fine.
In order to have control on internal network traffic we placed a web-filtering device (Fortigate) in transparent mode.To start with of we haven't blocked anything via new box but https portal and OWA stopped working from certain computers.At the same time other https sites were reachable from the same computer/s.We checked that website was tracable using traceroute from ASA,Fortigate and even from interal computer(from the one which it is not opening).This behaviour is random.
