Cisco Firewall :: ASA5540 - Disabling Anti-Replay For Specific Tunnel

Sep 23, 2012

We need Solution for disabling Anti-Replay on the Firewall for a specific tunnel. ASA 8.4(2) ) does not support disabling Anti-Replay on specific Ipsec tunnel , is it true , then if we want to disable Anti-replay , what we have  to do in ASA5540 .

View 4 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 Anti-replay Window For VPN?

Aug 11, 2011

tell me the command to view current anti-reply window size in ASA 5510?

View 7 Replies View Related

Cisco VPN :: ASA 5520 / Define Specific IKE Proposal For Specific L2L Tunnel?

May 24, 2011

ASA 5520 running 8.0.4
ASDM v.6.1
 
Need assistance understanding how in ASDM/Configuration/Site-to-Site VPN/Connection Profiles/ "Any Entry" I can specify that I only want to offer an IKE Proposal of pre-share-aes-256-sha?
 
The IKE Proposal field has a number of possible options including: pre-share-aes-256-md5, pre-share-3des-md5, pre-share-aes-256-sha, pre-share-aes-192-sha, pre-share-3des-md5, pre-share-aes-sha and pre-share-3des-sha.
 
I am able to pick a specific IPSec Proposal w/o issue but when I attempt to do the same for the IKE Proposal, and click OK the choice does not "stick" but rather returns to the entire list as defined above.

View 2 Replies View Related

Cisco VPN :: ASA5540 / Disable IPSec VPN Tunnel

Mar 29, 2011

I have running more the 30 VPN tunnels on my ASA5540 release 8.3(x).I want to disable one VPN tunnel(temporarily) without removing the configuration either Phase 1 or Phase 2.let me to know the command to disable IPSec VPN tunnel on CLI or ASDM.

View 1 Replies View Related

Cisco VPN :: ASA5540 Any Command To Check Tunnel Up-time

Mar 17, 2011

I am using cisco ASA 5540, Is there any command to check the tunnel uptime?

View 2 Replies View Related

Cisco Routers :: 527W Unable To Route Traffic Via APN Backup Without Disabling VPN Tunnel

Oct 9, 2012

I have a Cisco 527w which we are wanting to deploy to our remote sites however i've found a bug. We use ADSL with an IPsec tunnel as primary and 3G APN for failover . When the ADSL goes down the route via the IPSec tunnel remains and i am unable to route the traffic via the APN backup without disabling the VPN tunnel .

View 0 Replies View Related

Cisco Firewall :: To Enable Anti Spoofing ASA 5505

Apr 24, 2011

What is Anti Spoofing in ASA 5505. Can I enable it on ASA 5505. If yes , port will be inside or Outside. ? or both ?

View 1 Replies View Related

Cisco Firewall :: How To Configure ASA 5510 CSC Anti X Edition

Dec 13, 2011

how to configure ASA 5510 anti X edition ? Can I have a link explaining the configuration step by step ?

View 2 Replies View Related

Cisco Firewall :: IS There Any Drawback To Enable Anti-spoofing In All PIX 535

May 30, 2011

We are runing PIX 535 with software version 8.02. In ASDM,  I see  anti-spoofing is diable in all interfaces. If I enable it, is there any negative effect? Can I enable it in DMZ, inside, and outside interfaces?

View 2 Replies View Related

Cisco Firewall :: PIX 525 Anti-Spoofing Attack Protection

Mar 19, 2011

I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.

1. Anti-Spoofing Attack Protection
2. Scanning Threat Detection - Auto Shun
3. NTP Sync Verification
4. QoS implementation5. IOS and ASDM Backup
 
This option is currently DISSABLED for all interfaces.I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which interfaces? Second Question: Scanning Threat Detection - Auto Shun
 
I found this option in ASDM under: Configuration --> Firewall --> Threat Detection.Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty. I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of **** trying to spam my mail server or gain access to it.
 
What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a scanning attack?
 
I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers the kind of basic, all-inclusive bandwith cap I would like to put in place.
 
The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have the remainder.

How would I go about this implementation? 2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?
 
I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current economic state) IT budget afford any form of support or software licensing with them.My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.
 
I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I also have a copy of the activation key info and my current configuration.
 
1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit.
2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this device specifically or can I use it to restore another unit if necessary?
3. Is there anything else I should do or be aware of regarding backup and restore for the PIX?
4. What is the tfp file?

View 1 Replies View Related

Cisco VPN :: 1921 - Specific Way To Bring Up Tunnel?

Aug 2, 2011

I am trying to configure an IPSEC tunnel on a 1921 router.  What I hope to accomplish is that using a IP SLA that the IPSEC tunnel will only be brought up  IF the normal WAN connection is not responding.  My thoughts were to route the traffic that needed to come back to corporate through a loopback interface but I havent found a way to do that.

View 1 Replies View Related

ASA5505 - Tunnel A Specific Traffic Via VPN

May 20, 2012

I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.

We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.

All the sites in China have ASA5505 firewalls

One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.

how to tunnel all traffic but not just specific traffic over the VPN.

View 3 Replies View Related

Cisco Firewall :: ASA5540 - EAL4 Transparent Firewall Config

Mar 14, 2011

I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?

View 1 Replies View Related

Cisco VPN :: Specific Tunnel-group With User On ASA 5510?

May 13, 2011

I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
 
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
 
and i have user around 20 user and i want to specific user to tunnel-groups like this
 
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
 
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
 
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
 
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01  password DDD01
 
So, How can i manag tunel-groups with user?

View 3 Replies View Related

Cisco VPN :: 5510 - IPsec Tunnel Going Down At Specific Times

Dec 5, 2011

i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
 
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.

View 3 Replies View Related

Cisco Firewall :: VPN Between ASA5540 And Router

Sep 10, 2008

I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.

View 28 Replies View Related

Linux - Split Tunnel Routing Specific Port Over OpenVPN On Ubuntu Server 12.04

Jun 10, 2013

(Setup routing and iptables for new VPN connection to redirect **only** ports 80 and 443) Only my goal is a bit different. I am running a headless gui-less install of Ubuntu Server 12.04 that is being used for a variety of different purposes... I would like all traffic to travel un-prohibited through my ISP except for my transmission traffic. I have a VPN i subscribe to that allows me access for which I only want to direct a single port's traffic to. I am currently using a modified version of the code from the above link. My current code is below:

#!/bin/sh
sleep 200
DEV1=eth0

[Code].....

View 1 Replies View Related

Cisco Firewall :: 5555 ASA Disabling Proxy ARP

May 19, 2013

We just recently upgraded a 5540 ASA running 8.2 to a 5555 running 8.6.  I have a question concerning disabling proxy ARP with static nat rules in place.  We have several instance where devices in a dmz have a static nat entry to the outside and a static nat entry to the inside using the same IP.  My question is if we disable proxy arp on the inside interface would that cause device on the inside not to be able to reach the device in the dmz? From what I have seen you don't want to disable it on the outside interface due to all the static nat translations.  But we have some that are have nat translation going to the inside as well.  How does proxy arp come into play there?  Below is a diagram of an example of the setup I a referring to.  This is on the new 5555 running 8.6

View 1 Replies View Related

Cisco Firewall :: K-value Mismatch With EIGRP On ASA5540

Mar 7, 2011

I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary.   Here are the log messages I got:
 
Mar  8 15:11:08: %PIM-5-NBRCHG: neighbor 164.72.178.28 UP on interface Vlan150 (vrf default) Mar  8 15:11:08: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 164.72.178.28 on interface Vlan150 (vrf default)
Mar  8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.28 (Vlan150) isup: new adjacencyMar  8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) isup: new adjacency
Mar  8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) is down: K-value mismatch
 
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
 
What causes a K-value mismatch, and how to I rectify the situation?

View 1 Replies View Related

Cisco Firewall :: ASA5540 Configured With Standby IP

Aug 6, 2012

I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]

1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
 
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
 
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.

View 1 Replies View Related

Cisco Firewall :: One ASA5540 With Two 3750 Connections

Jan 9, 2013

i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.
 
so, here is my questions:
 
1. does ASA5540 support multi vlan?

2. does it support spanning tree protocol?

3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?

4. achive network redundancy

View 3 Replies View Related

Cisco Firewall :: Config Migration From ASA5540 To An ASA5545-X?

Jan 22, 2013

Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
 
Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
 
They are going to be using it as a VPN concentrator primarily.
 
Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X? Or if they upgrade to 9,0(1) or higher, then they should be the same?

View 2 Replies View Related

Cisco Firewall :: ASA5540 Port 80 Redirect To Https

Dec 21, 2011

Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? how to accomplish the redirect for a single site. 8.2.4 is current code

View 4 Replies View Related

Cisco Firewall :: ASA5540 Memory Upgrade - 3Gig

May 10, 2011

I upgraded our ASA5540 to 8.4, THEN noted the increased requirements for Memory. I purchased the 2Gig upgrade, but when installing in the Primary unit today, noted that there were 4 slots. Slots 1/3 had 512Mb modules, so I installed the 2 x 1Gig modules in slots 2/4.
 
The ASA5540 came up clean, and it "sees" the entire 3Gig of memory.
 
My question: Is this a SUPPORTED configuration? All documentation I have read only mentions 2Gig of memory. Also, If I had FOUR x 1Gig memory modules, would the ASA5540 support the 4Gigs of memory?

View 1 Replies View Related

Cisco Firewall :: What Is The Impact Of Disabling Xlate In FWSM 4.0.8

Nov 27, 2011

What is the impact of disabling xlate in FWSM
 
We have dynamic NAT configured from inside to outside interface, but still it is showing NAT entry as below.
 
"NAT from inside:177.26.99.10 to outside:177.26.99.10 flags Ii"
 
Expected NAT entry should as below :
 
"NAT from inside:177.26.99.10 to outside:111.111.111.111 flags Ii"
 
We were considering implementing "ip verify revert-path" .Hence here i am thinking whether xlate-bypass is the issue here and implementing same with "ip verify revert-path" woud be a good idea.

View 1 Replies View Related

Cisco Firewall :: Fails To Download File Through ASA5540

Dec 12, 2011

We have ASA 5540 with 8.2 SW. We are trying to download a file (3 MB pdf)  from https session which fails if done behind the firewall. In case, the client bypasses firewall, the file gets downloaded as usuall. Interesting thing here to note is that when client is behind the firewall, its takes a long time to download the file and the file size always 312 Bytes, of course its a corrupt file.

View 3 Replies View Related

Cisco Firewall :: ASA5540 Management Interface IP Addressing?

May 9, 2011

How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
 
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed

View 1 Replies View Related

Cisco Security :: Can Add SSM-4GE Module In ASA5540-AIP40-K8 Firewall

Dec 11, 2011

I have requirement received from one of my customer. the part number given as ASA5540-AIP40-K8, same time requesting for addition of another 4Port GE Module (i believe its SSM-4GE Module). Is any option to add this module in to the above specified model (ASA5540-AIP40-K8).
 
As per my understanding the ASA5540 have the option to add 1 additional module only, so if we AIP-SSM module, we don't have any free slot left with to add another SSM-4GE Module in the firewall.
 
i am not getting even the option to add SSM-4GE in the ASA5540-AIP40-K8

View 1 Replies View Related

Cisco Firewall :: Interoperability ASA5540 Routing And Nat With The Same Zones?

May 18, 2011

I am migrating firewall fortinet to ASA5540 with inside (192.0.0.0/24), dmz (192.168.0.0/24), and outside (x.x.x.x), but the users of inside network gain access to the aplication for two ways: the first way is trough routing between inside and dmz, for example 192.0.0.200 to 192.168.0.20, and the another way is trough static nat between inside and dmz for example 192.0.0.200 to 192.0.0.20 (192.168.0.20 static nat). Is posible in Cisco configure that? because when i configure only firewall route the first way is OK, but when i add the second way only nat is work!

View 10 Replies View Related

Cisco Firewall :: ASA5540 Can't Get DHCP Service From Outside To Inside Network

Jun 13, 2012

I have an inside network using PAT to one outside address. Our DNS server is on another local, but outside address.  I can't get the inside network to successfully get addresses.I have another inside address that just uses the wirewall and gets addresses just fine from the same server.I have the box checked in ASDN that enables DHCP on the inside interface and points to the correct DHCP server,PAT service is working properly if I use a hard coded address for a machine on the inside network.This is an ASA5540 with 8.3(2)

View 2 Replies View Related

Cisco Firewall :: How To Clear Input Errors In ASA5540 Interface

Feb 26, 2013

My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall.   [code] I need to Clear the Input errors on this particular Interface.Will Clear interface GigabitEthernet 0/0 will work?

View 4 Replies View Related

Cisco Routers :: RV082 Disabling Firewall And Remote Management

Sep 17, 2012

I have a RV082.I need to disable the firewall, since firewalling is done better elsewhere.However disabling firewall Remote management on wan ip is forcefully enabled.I don't need Remote management, keeping it enabled is a security risk for my setup.I don't understand the rationale behind the choice to forcefully enable remote management if firewall is disabled.Is there a way to disable both firewall and remote management?Or at least a workaround?
 
I'm on firmware 2.0.0.19-tm on a probably v2 hardware. (Cannot find this info in the web configuration).This is not the newest even for v2 hw but I cannot afford to break it trying to upgrade the firmware.Moreover no release notes for firmware releases refers to a correction of firewall/remote management behavior.Is this behavior also in newer firmware releases?

View 2 Replies View Related

Cisco Firewall :: 5505 - Disabling Timeouts Which Affect SSH Tunnels

Jan 4, 2012

Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.
 
Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)? timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 
Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?
 
class CLASS_MAP_SSH
set connection  random-sequence-number disable
set connection timeout idle  48:00:00 reset
set connection decrement-ttl

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved