Cisco Firewall :: FWSM Version 3.2 - No Access-list Line X Doesn't Work
Dec 10, 2011
I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
FWSM/xxx03(config)# no access-list ?
configure mode commands/options:
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
[code]...
How can I remove a line from the access-list without clearing the entire access-list?
View 3 Replies
ADVERTISEMENT
Oct 7, 2011
After enabling AAA FWSM lost opportunity telnet session. FWSM version 3.2(5). In the logs show that resets itself FWSM telnet session.
Conf.,aaa-server TACACS+ (management) host 192.2.151.111
key aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
[Code] .....
View 3 Replies
View Related
Aug 11, 2012
i have a netgear wndr3400v2 on windows 7 ulitmate and when i go to [URL] and try to find the setup access list option it doesnt show up but they say its suppose too
View 1 Replies
View Related
Jan 21, 2011
I have applied named access-list in output direction on 1GE interface on GSR12400 (IOS XR 3.4),but there is no matches. Counters doesn't increase although access-list blocks or permits certain packets (access-list works as it should).
View 2 Replies
View Related
Mar 7, 2012
Does the ASA5520 work with the newest version of h.323?
View 1 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Mar 14, 2012
We are running a FWSM and have created ACL's for a new Lync install. One of the rules needs to have port 5061 access from any source to our front edge server for communication. When looking at the logs I see a hit on the ACL but nothing ever actually connects.
One possible issue I see is possibly in the inspect:
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
class class_sip_tcp
inspect sip
In the inspect sip this is only for port 5060. How do I set this up to allow port 5061?
View 1 Replies
View Related
Dec 25, 2011
cd doesn`t work and can access web for set up
View 1 Replies
View Related
Mar 6, 2011
I need to enable Management access to FWSM using CA ssl certificate.
FWSM Version 3.2(5) in Cisco 6509 switch.
Got to know how to generate, import and export certificate but my query is how to get it applied to the management ip do i need to apply in the management interface.
View 1 Replies
View Related
Aug 15, 2011
I am having FWSM in active /standby mode deployed on two different cat 6k chassis. Unable to access the fwsm module from switch using ' session module mod_no processor 1 ", it throws error " % telnet connections not permitted from this terminal" Running Version 3.2.6 on fwsm, Cat 6k is running 12.2.33.SXH1,
switch#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
% telnet connections not permitted from this terminal
---------------------------------------------------------------------------
have allowed telnet on line vty, configuration on Line vty is simple allowing all transport protocols
line vty 0 4
exec-timeout 5 0
transport input all
transport output all
line vty 5 15
exec-timeout 5 0
transport input all
transport output all
View 3 Replies
View Related
Nov 14, 2011
I have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
Here is my config:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
[code]....
View 1 Replies
View Related
Jun 3, 2013
A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.
View 3 Replies
View Related
Nov 30, 2012
I have a server in a network DMZ (IP 192.168.40.43) need to do discovery of other IP address to update the IPAM tool. It should not be done source NAT so I´m trying to use the configuration below with Policy NAT but isn´t working:
nameif ethernet1 inside security100
nameif ethernet5 dmz8 security55
!
ip address inside 10.56.12.93 255.255.252.0
[Code]....
It´s following message appears "% PIX-3-305005: No translation group found for icmp dmz8 srv: 192.168.40.43 dst inside: 10.38.36.50 (type 13, code 0)".
View 10 Replies
View Related
Apr 24, 2012
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2
Switch Number: 2 Role: Virtual Switch Standby
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 -----------
[code]....
why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ?
View 2 Replies
View Related
Feb 15, 2012
I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CaaaA01
domain-name example.com
[code].....
View 2 Replies
View Related
Dec 21, 2010
I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).I'm using the newest Releases:Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.3(5)
My asa config just the interesting part:
crypto ipsec transform-set trans esp-3des esp-sha-hmac crypto ipsec transform-set trans mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dyno 10 set transform-set transcrypto map vpn 20 ipsec-isakmp dynamic dynocrypto map vpn interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400no crypto isakmp nat-traversal
[code]....
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
I see that Phase 1/2 are working with debug:
Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED
Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
Then I see this "Error":
Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
I don't understand why it doens't work....I tried many templates from the net but nothings works.
View 5 Replies
View Related
Jan 2, 2012
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
route-map proxy-redirect permit 101
match ip address 101
set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
View 2 Replies
View Related
Apr 1, 2011
I can not setup a new user, or access wireless networks that show on my laptop had a virus and the shop said they removed it but the network has not worked since it a dell inspiron 1525
View 1 Replies
View Related
Jan 26, 2013
I have connected my laptop to many many networks, but this is the first time this happened. I went to my moms today, and triied connecting but it only says limited access and full bars, and sometimes it doesnt even say its limited access...I have restarted modem Deleted network file (or whatever yhou call it, its in manage network. makes it like ive never joined it)Checked if connection switch was off on my laptop (Wasnt)Disconnected and reconnected multiple times Cry a little And restarted computer .What can i do?
View 1 Replies
View Related
Feb 26, 2012
Like others I see on this board, we've got middle- and high-school age kids whose access to FB and other sites needs to be controlled/scheduled.
I thought the DIR-655 was great, in that it has features that, on the face of it, would seem to be ideal for blocking domains and restricting access.
My problem: I've never been able to get this to work.
I've set up schedules and created lists of domains that I want to limit access to according to the schedules, but the only constraint I've ever gotten to stick is blocking access completely to the router.
*None* of the schedule-based or website-based access controls have ever worked; I'll put the block in place to my daughter's computer's MAC address so she shouldn't be able to get to youtube or facebook, save, bounce the router, but then I go by her room and she's still busily chatting away online to her FB friends.
Based on similar posts I've seen on this forum, this may not be a unique problem.
So in a nutshell, this is what I want to do:
1) Block certain computers (identifiable by MAC address)
2) from being able to get to particular named domains (and any of their sub-domains)
3) according to a schedule that I can create and modify.
My preference would be to do this in the router, but again, responses I've seen here suggest that may not be possible.
View 1 Replies
View Related
Jan 5, 2012
I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
These are configuration lines:
object-group service elastix-ports
service-object udp eq sip
service-object udp gt 10000
[Code]......
View 1 Replies
View Related
May 12, 2013
I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.
View 3 Replies
View Related
Apr 5, 2011
since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.
[Code]...
View 2 Replies
View Related
Apr 13, 2013
I'm trying to get 'Access Control' working so I can limit Wi-Fi time on my kids iPod touches, but the settings aren't clear and the help file is not clear whatsoever.I've been testing it with my iPhone, I have the MAC added, but none of the options available will even stop my iPhone accessing the internet over my Wi-Fi.
View 1 Replies
View Related
Mar 12, 2013
The network gods recently updated our 6500 and upon reboot, the FWSM booted to CF:1 maintence partition,which caused an immediate outage. On the router, I ran the following command to set the default FWSM boot partition to the configuration with:Router#boot device module 4 cf:5 However, it appears the "show boot device" command has been replaced with "show bootvar" which doesn't show me which partition the router will boot the FWSM to. Is there a command I can run from the Router that will actually confirm the boot partition for the FWSM if the router reloads.
View 1 Replies
View Related
Jun 10, 2013
what´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA#
JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
View 5 Replies
View Related
Aug 28, 2011
For some reason I can't get Access Control/Webaccess Filters working on my Dir-655 w/ 1.35NA. I've tried it with MAC and IP Address without any success. I've also enabled/disabled/enabled DNS Relay, recreated the rules, recreated the filters, etc. Nothing.
View 14 Replies
View Related
Feb 23, 2011
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
View 1 Replies
View Related
Aug 24, 2011
I am having a problem getting this to work and I have always done it with 2 Static ip address. but now this company changed to 1 and I am doing something wrong.
I have comcast with 1 static IP, I have a local LAN with 6 host and 1 server that does Mail and remote access and web traffic.
I need a config that allows me to use 1 static ip on the outside interface of the PIX and allow with an ACL 7 ports open to the server and allow all the local host out to the internet.
View 11 Replies
View Related
Mar 12, 2012
I have a WAP54G v3.1 running firmware version 3.05.01 and a WRT54G v3 running Tomato v1.28. The WAP54G is configured client mode and works perfectly. However, I was not able to get the two to communicate with WPA2 security - maybe, I just didn't try hard enough? Both devices are capable of doing WPA2 with AES but client mode doesn't seem to work with WPA2? I had to drop back to WPA-AES to make it work. Why is this?
View 4 Replies
View Related
Apr 2, 2013
I have a router in front of a few firewalls on an internet link. All traffic from the inside network must go through one of the firewalls to get out through the router and similarly there is a dmz on one of the firewalls.I am trying to make sure the router is fully hardened.Should I apply an access list on the outside interface of the router along with the access list for management access?
View 11 Replies
View Related
Oct 30, 2012
Trying to figure this all out. I'm getting untranslated hits. I posted the config I have so far.
Code...
View 7 Replies
View Related
Mar 11, 2013
This is a working example using static. But it doesn't work with the dynamic interface or I'm doing something wrong. Need to get rdp access to my laptop.
ASA Version 8.4(5)6
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]...
View 1 Replies
View Related
