I am trying to configure my ASA 7.2(4) to inspect SCCP traffic from a CUCM v7.I have been advised that the ASA device needs to support the version of Skinny I am running.What version of Skinny does ASA 7.2(4) support? How can I find out what version my phones are using?
View 3 RepliesI want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?
View 2 Replies View RelatedWe are currently looking at design models for a Multi-Tenancy solution.The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.
We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.
I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?
ip inspect firewall should be performing no inspection on traffic traversing an IPSec VPN right?
View 2 Replies View RelatedI have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
[code]....
how to enable inspect http on ASA 5510, so that URL information populate in the syslogs?
View 2 Replies View RelatedASA5510, ASA 8.0(4), ASDM 6.1(5), this is a productino ASA with plenty of lookups working through its 3 interfaces - outside, inside, dmz. The problem is a new use. I've segmented a switch on the inside network with a VLAN, and have a workstation routing through the switch to the default VLAN where all other hosts on the inside network reside so far. The ASA inside interface is the default gateway for the inside network. My test worksttion can PING inside hosts, so the static route is OK.
ASA 10.1.1.2/16 DNS Server 10.1.5.1/16
| |
------------------------------------------------------------------
|
Switch 10.1.8.20/16
[code]....
But lookups fail, Wireshark says the test workstation sends, the dns server receives and responds, but the test workstation never receives. I used the Packet Tracer tool, it gets to the last step syayin OK then finally "inspect-dns-invalid-pak". I can't find any more there to tell just what is invlid about it. So I'm trying to figure out global inspection. Here's an extract from the config:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
[code]....
I have two questions about ZBF on ASR1000 with Firewall and Flexible Packet Inspection license:
1 is IPv6 supported?
2 can I use police action in an inspect rule? I want to limit some protocols to low bandwidth. There is no police command in ZBF policy map.
I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?
I am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager. For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).To test it I did following changes by CLI and it works fine. access-list L1 extended permit ip <@IP1> <mask1> host <@IP2> class-map CM1 match access-list L1 policy-map PM1 class CM1 set connection timeout idle 02:00:00
I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.So I defined Access control list, Traffic flow and then I define timeout in CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out. The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application..
I am wondering if this is possible. We have multiple internet connections with fixed IP's coming into the office. We'd like to use one for FTP backup and another to service our websites. From what i have read a 5510 doesn't do policy based routing, but we'd like to configure our ftp server to use one of the internet pipes and our webserver to use another internet pipe. Is that possible?
We'd have two outside fixed IP interfaces and two internal interfaces. I could then use one of the internal interfaces for the web server and the other for the FTP server. consequently if the internal web server and FTP server use the fixed IP"s corresponding DNS server wouldn't that effectively route all FTP traffic out one interface and all web traffic out the other?
Then the FTP traffic would be NAT'ed to an internal interface and the HTTP & HTTPS traffic would be NAT'ed to a separate internal interface.
Then if each of the internal servers used the corresponding internal NIC on the ASA as it's gateway and the fixed IP's that correspond to the external DNS server, then it would affectively only use that gatway out for traffic? Would that work? Does it should route traffic out those pipes correct? Will the asa support two different next hop routers for the two different interfaces?
I have seen this a couple of times on two different routers. One is a 3745 and another a 1811 running 12.4(15)T4 and 12.4(6)T11, respectively.
When we have IOS firewall running (either IP inspect or ZFW), we will experience intermittent slow HTTP connections.
Symptoms include page timeouts, CSS not loading and just overall slow performance. Disabling the inspection cures the issues.
I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?
is this possible to configure HTTP traffic to ISP2 and Static NAT to ISP1 on ASA5520?
View 2 Replies View RelatedWe have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow SMTP traffic to pass through from this interface.
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).
I see that Application protection - blocking peer-to-peer file sharing traffic is a capability of Cisco IOS Firewall. How do i configure my Cisco 2911 ISR to block peer-to-peer file sharing traffic?
View 1 Replies View RelatedWe are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
user from home PC via Anyconnect making RDP session to work PC, on this PC Microsoft policy allow making disk mappind via RDP. Is that posible to inspect this traffic and deny this(disk mapping) action on ASA5585-X with IPS?
View 1 Replies View RelatedI want to Upgrade CUCM 8.0 to 8.6 version. What are the necessary steps, any tools, license requirements?
View 1 Replies View Relatedim in the progress of Configuring a Cisco 881 Router, for a branch office.Behind this Router they have an PBX, is it prossible to inspect SIP packet using CBAC, and thereby open for RSTP pinholes.i only have 1 Public ip adresser, and im not fond of configuring thousands of PAT to the PBX.i have with success, Accomplished this with Global Inspection on ASA Firewalls, but i dont know if this can be done with IOS as well.
View 5 Replies View RelatedWe have a business need that we have to set up a IPsec L2L tunnel (from multiple locations) to a business partner, we require that the connection can only be initiated from our side, not business partner side. I searched the web, one option is configure our side ASA to initate IKE only, this does not seem to meet our requirement, because once IPsec SA is up, IP layer traffic will flow freely in either direction; the other option people suggested is to use VPN filter in tunnel group policy, but the documention of how to use this vpn-filter to enforce one way traffic policy is not crystal clear to me; I actually configured reflexive ACL on core L3 switch before the traffic hits ASA to reflect/evalulate specific traffic to businness partner's LAN network, that worked well. However one of our branch office's core L3 switch is Cat4K which does not support reflexive ACL with the image it is currently running, so I am stuck again .
View 1 Replies View RelatedWe are upgrading from Callmanager 4.0(2a) to new hardware and the latest version. We have Callmanger 4.0(2a) and would like to upgrade to the newest version, at least to CUCM 8. We already have the new hardware that is compatible, smartnets and licenses. After looking at the matrix sheet it appears (there were several different upgrade routes but I could only find documentation for upgradring to 7.1(2) and 7.0(1) from 4.x so I am going with 7.1(2)) should we go:
from 4.0(2a) to 4.3(1)
from 4.3(1) to 7.1(2)
from 7.1(2) to 8.0(1)
this gets us to 8 which we can then upgrade to 8.5 or 8.6
So, we have 4 servers, 2 old (Pub, Sub) and 2 new (Pub, Sub). What is the best plan of attack here:
1) Backup 4.0(2a), then do an inplace upgrade on old hardware from 4.0(2a) to 4.3(1). Then backup 4.3(1) and do another inplace upgrade on the same server to 7.1(2). Then load 7.1(2) on the new hardware and restore backup from 7.1(2) on the old hardware. Then backup and inplace upgrade to 8.0 on the new server?
Or
2) is there any way to not have to "touch" or do an inplace upgrade on the old hardware running 4.0(2a), and just run a backup on it, load 8.5 on the new server and import the data over from the backup?
What vmware i have to use to install cucm 7. vmware workstation 7 or vmware server or exsi 4 or 5. Any correct link to download and vmware config settings.
View 2 Replies View Relatedthe customer has CUCM in the inventory database of LMS 4.1. He has all accesses from LMS to CUCM. One phone 7961 is seen in the UT report. When the customer click on the CUCM in the inventory - there is no IP phone registered in the CUCM.
View 2 Replies View Relatedthe customer has CUCM in the inventory database of LMS 4.1. He has all accesses from LMS to CUCM. One phone 7961 is seen in the UT report. When the customer click on the CUCM in the inventory - there is no IP phone registered in the CUCM. What is wrong?:-( See the attachment.
View 1 Replies View RelatedI have a need to use a 3560 switch to terminate a provider's internet connection, but want to secure it so that it and the vlans connected to it are not wide open. At the same time, I'd like to use stateful packet inspection.
I have IOS 12.2(44)SE2, but IPBASE running on my 3560s. Is there an IOS (perhaps the ADVIPSERVICES of that version?) that allows a 3560 to use the 'ip inspect' command?
I have a firewall ASA 5520. In this time I have connected 3 networks (192.168.1.0 INSIDE, 192.168.2.0 INSIDE2, 10.0.1.0 OUTSIDE). I follow the article [URL] to configure my firewall, but the ASA no permit traffic (ip, udp, icmp, etc) between the networks.
The configuration that i have is:
ASA Version 8.2(1)
!
hostname Firewall
domain-name xxxxxx.com
[Code].....
My first time attempting this so excuse my wrong use of terms..i believe its load balancing...new company site is going to have 2 separate connections:
con 1: 15 up/2 down coax connection
con 2: 6 up/ 6 down dish
con 1 needs to simply have http and https traffic.
con 2 will have security surveillance, SNMP, and VoIP (PBX)
the hardware i know that will be at that location when i fly up there is a Sonicwall TZ210 and a 48-port Netgear gigabit...where do i start?
I've looked in many places but cannot see how or if it is possible to configure a phone, in CUCM to have a feature ring instead of the normal ring.In CUCME you go into the ephone x configuration mode, and assign the DN to the phone with the button xfx command. What this gives you is a slightly different ring tone when a call comes through. If I am not mistaken it is the same ringtone they use on the show "24".Is there a way to do this "feature" with CUCM?
View 1 Replies View RelatedI have a problem with my Cisco 7961 phones not registering on my CUCM 8.6 install on ESXi 5. Weird because I have Cisco IP communicator phones that register with no problem. You guys know what I can be missing. I have restarted the CUCM and services multiple times. The phone log on my phones say it can't find dhcp and DNS unknown host but my CUCM is configured by IP address. I also attached some screenshots
View 3 Replies View Related