if SSH v1 is considered vulnerable why is it still enabled by default on the ASA 8.4 by default?What is the vulnerability impact of using SSH v1 on an ASA?
View 1 RepliesFaced this recent vulnerability?
[URL]
My understanding is that for ASA 8.4.1 and prior, there's a vulnerability that opening many ssh sessions and one of them times out, the firewalls crashes!
As we have many customers with ASA using 8.2.5(26) (for example) I'd like a confirmation that for fixing that bug I need to upgrade my ASA image to at least 8.4.x.Case that, I believe that all the former firewall configuration must be reviewed because 8.2.x version has many different commands that 8.4.x (for example, NAT)
i am using asa821-k8.bin image, in my cisco 5520, How can i check if my IOS is vulnerable ?
View 4 Replies View RelatedWhat is the impact of disabling xlate in FWSM
We have dynamic NAT configured from inside to outside interface, but still it is showing NAT entry as below.
"NAT from inside:177.26.99.10 to outside:177.26.99.10 flags Ii"
Expected NAT entry should as below :
"NAT from inside:177.26.99.10 to outside:111.111.111.111 flags Ii"
We were considering implementing "ip verify revert-path" .Hence here i am thinking whether xlate-bypass is the issue here and implementing same with "ip verify revert-path" woud be a good idea.
Does the SVI ACL have impact on the CPU on 6509 ?
View 7 Replies View RelatedI would like to perform vulnerability scan on Cisco switch and router.Is there any free vulnerability scan tool recommended for Cisco device ?
View 2 Replies View RelatedWe have ASR1002 routers configured to run individual SubPackages, at this point everything is operating without problems.We just received a Cisco Security Advisory informing us SSHv2 is vulnerable in our version of router code.We have to upgrade to the recommended stable release, so we downloaded, installed and expanded the IOS to expose the SubPackages on the ASR routers bootflash.
Since we are running SubPackages, do we need to upgrade all SubPackages (I.E. complete IOS upgrade) of can we just upgrade the vulnerable SubPackage? How do you determine which SubPackage contains the SSHv2 application?
I had a bad expirience with Switch 3750-X. Because of an auditing security processess, my customer ran a software called "Nessus" to do a scanning of vulnerability on the network. When this software is point to switch, the process of the switch will next to 100% and reset. The software only do a listening on the ports to see what ports are opened and the switch should not reset because this. Bellow is the log os switch on the moment of test; we note that the processess 'HTTP' rise moments before the switch reset. I disable the HTTP service on switch but the problem persist. The test was made only one machine connected to switch.
View 4 Replies View RelatedAdding a vlan 820 to existing port channel trunk which currently allows many vlans. What is the best way to add vlan820 with least impact to network. Portchannels from 6513 core with IOS to Nexus 5k,Copy existing vlans, add 820 and paste under: switchport trunk allowed vlan 1,2,5,12,20,820
View 6 Replies View Relatedrececntly we have installed 2504 WLC in of branch office, I can able to log via console but it is not coming over LAN not even showing in CDP, all config seems to be fine in wired side & WLC side & physical connection also fine...LED also green.I am seeing log message in WLC, is this related to License issue
View 2 Replies View RelatedWe plan to implement a large number of ACL on our Distribution switch which is a HSRP pair of 6509C switches running on sup-bootflash:s72033-psv-mz.122-18.SXD3.bin WE need to divide the Network in three layers
unsecure layer
Proxy layer
Secure layer
We have approximately 250 vlans on the our distribution switches and plan to implement 15 ACL on different vlans Each ACL can contain upto 30 lines or less.
basic ACL example we will be applying on different vlan
vlan 200
ip access-group test123 in
My question is Can these ACL on a vlan can have a massive impact on the 6509 CPU ?
We had a PCI security audit of an existing VIP on our ACE 4710. The VIP is set up as HTTPS terminating on the ACE with a http redirect for all 80 traffic. The audit reported this VIP was vunerabled to the Cisco "IOS HTTP Authorization Vulnerability". Which basicly states, http Management is on this IOS device. It does not make any sense, as the VIP is pointed to a pair IIS servers?
[URL]
Nature of the vulnerability that FW 1.31 is said to correct?
View 5 Replies View RelatedWhat is the impact of incorrectly setting the antenna gain on a the b/g radio of an AP would have on a WLAN?
I've come across a site where around a 3rd of the AP's had their antenna gain set to 0. I can only assume that something missed setting this during setup. The site uses 1242ABG AP's and each has 2 4941 antennas and i believe the gain should be set to 4 x 0.5dBi
I have a DIR-600 C1 running the latest available firmware version (3.03).
Model: DIR-600
Hardware Version: C1
Firmware Version: 3.03
WiFi Protected Setup is turned ON.I would like to know if it is affected by the new disclosed vulnerability described here:[URL] Also, turning WiFi Protected Setup OFF may not assist to mitigate this vulnerability?
I am running HSRP on three 4506 switches..S1(active) S2( standby) and S3(listen)..S1 is active for all the vlansRight now, I wanted to make S3 active for two vlans: vlan 10 and 19What would be the impact to the end hosts?Also, can you tell me why the arp is not syncing for all the three devices? [code]
View 4 Replies View RelatedI have a query regarding the deletion and creation of one of my SVI interface on 6513 ,The reason behind it as follows.My traffic get to Internet in this manner
proxy(external int.)[IP:192.168.1.30] --> Gi0/9[6513 in VLAN 170] --> SVI VLAN 170[IP:192.168.1.10] --> Gi0/10[In VLAN 170] -->ASR[IP:192.168.1.20],I need to assign this VLAN ie 170 to my inside interface of firewall but it was mentioned in books like this "Assign the VLAN for the FWSM before it is applied to the MultilayerSwitch Feature Card (MSFC)." so I am thinking the following steps to assign VLAN 170 to firewall group first before creating SVI Interface for it
1.Remove all currently assign ie Gi 0/9 & Gi0/10 interfaces from this VLAN and then delete this VLAN.
2.Create the same SVI ie VLAN 170[IP:192.168.1.10] by this way the issue can be resolved.
As in part of my configuration PBR is define like this .
interface Vlan170
description "PUBLIC IP VLAN"
ip address 192.168.1.20. 255.255.255.0
ip policy route-map NAT
route-map NAT permit 10
match ip address 101
set ip next-hop 192.168.1.10
I need to clearify what impact it may have on PBR part if I delete and create the VLAN 170.Will the traffic move to the inside interface of FWSM.
On my D-link routher the power supply broke. I instal another one but it has 2.5A as output instead of 2A as the broken one has. Is it dangerous.
View 2 Replies View RelatedApparently there is a vulnerability issue which was just discovered with TP-LINK TL-WR841N wireless router running firmware version: 3.13.9 Build 120201 Rel.54965n and below,as described here: [URL] and here: [URL] there latest firmware 3.13.27 Build 121101 Rel.38183n already addressing this issue or is there any other planned correction expected to address this vulnerability issue ?
View 5 Replies View RelatedI wanted to know if there is a way of upgrading the IOS on a stack of 6 - 8 3750's with minimal impact at reload. Is there a way to reload one member at a time?
View 3 Replies View RelatedDo larger computer screens use more data? Or is it just a matter of screen resolution?
Is there a difference between large, small, laptops, and tablets in bandwidth consumption if all the screens were set to a resolution of 1024 x768?
I was informed by a co-worker that there is a security vulnerability with the local certificate authority in the ASA running 8.3 code. I've looked through the security advisories and haven't been able to find anything about this. Was this just misquote or am I missing the security advisory release?
View 1 Replies View RelatedI will be implementing a new firewall (cisco asa 5515x) on my existing 3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the implementation successfull. I will put my 3750x as my DMZ and my 2960s as my inside. The 3750x have multiple subnet and also the 2960s.which features and technologies i need to know on those 3 products. my 3750x and 2960s don't have any ACL defined and most common features are vlan, switchport, trunking, spanning-tree, stacking, vtp.how my asa knows that my 3750x/2960s have multiple vlans. my current connection right now on 3750x and 2960s is just through 6 ports i assigned as one trunk, below is my config [code]
my 2960s vlans are almost the same with my 3750x except vlan 160, 170, 192. but of course when i put this in asa, i have to segragate vlan for 3750x (192, 100, 110,160, 170) and 2960s (130, 150). for my 2960s connection to the asa and since this will have big bandwidth, i will use 3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2 ports on my asa (and trunk it) connecting to my 3750x. the one internet ports and my one management ports on my asa will stay like that.
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies View RelatedWe had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies View RelatedI have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
I do have the below setup,,
1. I have 6509 switch
2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch
3. On switch side i have configured the port as Trunk
4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).
I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.
The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall?
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...
I was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)Usually firewall CPU flows between 30% to 40%. Rarely to 50%.
1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc
2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?
3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?I there any recommendation regarding configuration, best practices?
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).