Cisco Security :: 501 PIX - How To Delete Existing Configuration
Mar 10, 2005
I was given a 510 PIX Ver 6.3(1)to reconfigure but have no information on the existing configuration and need to wipe it clean and start over how can I do this to get back to the factory default settings. I have tried the "monitor>" but I don't know the IP address of the PIX interface.and am not sure how to do the setup for recovering the password.
View 7 Replies
ADVERTISEMENT
Mar 23, 2011
Any detailed knowledge about Cisco ACS 5.1 and Windows AD interaction? I wonder why does Cisco ACS domain account must have permission to create/delete domain objects. This fact does really surprided me, because to my mind Cisco ACS only reads domain structure, and does not make any changes.
View 3 Replies
View Related
Feb 6, 2012
We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2. We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
pressed the Network Configuration button,saw the Proxy Distribution Tableclicked (Default)moved ACS1 from the AAA Servers column to the Forward To column.
So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.
View 2 Replies
View Related
Jul 1, 2012
Working on a C4948-10g switch. Trying to reset switch to factory settings. I have ran the Switch#>wr erase, command but the vlan's are still in the config. If you do a show vlan it still shows all the vlan text. I have tried the Switch#>delete vlan.dat, doesn't work. Tried Switch#>delete nvram:vlan.dat, doesn't work. Tried Switch#>erase startup-config, doesn't work. How can I get rid of the vlan's?
View 7 Replies
View Related
Apr 15, 2011
We have the acs server which has the ssl certficate(certifcate authority) running in acs 3.2 windows version for eap-tls enduser authentication.
We want the same to be migrated to acs 4.2(appliance) application. I have tried in different ways to push the certificate but i couldn't.
I have tried Thru System Configuration --> ACS Certificate Setup --> Install ACS certificate --> Download certficate file In that i have mentioned the FTP server IP address, credentials, path and file name
But if i submit the request its giving the directory not found or credentials wrong.
In FTP logs its showing like this
Apr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 PASS welcome2acsApr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 230 User logged inApr 15, 2011 19:41:55 Session 4, Peer 10.190.249.40 FTP: Login successfulApr 15, 2011 19:41:55 Session 4, Peer
[Code].....
View 2 Replies
View Related
Apr 10, 2011
If I am to add the Self-generated certificate of my new CAS to my existing CAM's trusted certificate authorities list, will it just be added or will it replace the existing trusted certificate?
View 4 Replies
View Related
Apr 17, 2011
how to migrate the db from acs windows 3.3 to acs appliance 4.2.15.We are replacing win 3.3 to appliance 4.2.15 as a part of end of life. So we have the eap-tls/peap authentication.It has the huge records. So suggest me the steps to migrate the db from win 3.3 to appl 4.2.15.Do we need to upgrade to win 3.3 to win 4.0 to win 4.2 & then to migrate to appl 4.2 ?
View 4 Replies
View Related
May 23, 2011
I have an existing VPN tunnel from my branch office to corporate.I want to allow my employees to establish a VPN connection to our local branch office where we have a local server, and not go through the corporate office.Can I set up a direct VPN connection to my router/ firewall at the branch office, even when there is a VPN tunnel already connected between my office and corporate?
View 1 Replies
View Related
Mar 28, 2012
I have an existing wireless working network with WIN 7 - 2 laptops, two desktop PC's. Can I add a security code/password without setting up a new network?
View 1 Replies
View Related
Mar 7, 2011
I am forced to upgrade my ASA 5520 software from 7.1 - 8.2 or higher, as I am not familiar with ASA I need expert opinions.I have following concerns regarding the upgrade.
1-Do I need to worry about the software licensing when I download 8.2
2-I read about the few difference in commands (ACL and NAT) in 8.2 what exactly I have to do here should I change the configured NAT and ACL with real IP in the existing configuration after the upgrade ?
View 5 Replies
View Related
May 3, 2011
i have one asa 5505 that have classic remote access vpn set-up and now i need to add site-to-site tunnel on top of the existing configuration. Is that possible with asa 5505 and do i need some special IOS bundle for that? May i use vpn wizard for that or do i need to go through cli since remote access vpn is setup using wizard.
View 2 Replies
View Related
Aug 29, 2011
I try to configure PGM in my 2911 plattform but it was impossible. I tried with many 15.1 version that support this protocol.
Someone configured PGM over 2911 Routers? What does correct IOS for work?
View 4 Replies
View Related
Aug 18, 2011
Our client ( a webhost, they have a lot of servers ) has a an older Cisco Pix, everything works fine with the PIX. They have a Cisco ASA 5500 with ASA version 8.3 , to replace the PIX. Upon migrating the PIX config to the ASA we are running into issues with Dynamic NAT. The static NAT entries are working flawlessly (there is a lot of them), however when Dynamic is enabled for the remainging hosts, outside communication works then drops off. The remaining hosts need outside access for updates. We have access lists set up but I dont se ehow that could cause a problem when the original ACL's were working fine with the PIX, they have not been altered.
The NAT config may be wrong or cluttered, have a look at the full NAT config.
The static NAT addressing is the same, example 207.11.129.65 will equal 10.10.10.65
View 1 Replies
View Related
Jan 8, 2013
saw that we can secure ripv2 via authentication (simple and MD5) ,i undertand that simple is not quite secure because we can see the plain text when capturing RIP packets
however even with MD5 i can see the authentication data (output of MD5) and i think hacker can copy it and paste it in one RIP packet that he will generate !! isn't it ? so how much MD5 is secure ?
View 1 Replies
View Related
Mar 22, 2012
We have had an ASA5505 for close to two years. About a year ago, we added a second ISP ("BOB") which became our primary and our old one (SBC) became our backup. I successfully modified the config for this and it's been working well.
Now we're changing our primary ISP to Comcast and getting rid of BOB, so right now we actually have 3 ISPs coming into our building.
I removed the BOB interface and routes, then added an interface for Comcast using an IP address from the range they provided as well as a static route to the gateway they provided - everything is analagous to the previous interfaces and routes, but it doesn't work. If I physically disconnect the Ethernet cable going to the Comcast cable modem, then the ASA does fail back to the SBC interface as expected. If I put the BOB interface & route back in there, it works again through BOB.
If I connect a PC to the Comcast cable modem and use an IP/Gateway they provided, the Internet connection *does* work. Using this same exact IP info in the ASA doesn't work.
Is there some other configuration item besides interfaces and static routes that I should be modifying? Is there some way I can dig deeper into the ASA to see exactly what is failing?
View 2 Replies
View Related
Oct 23, 2011
I save the configuration in the ASA 5505 using write memory or using copy run start but whe i unplug the power cord and plug it back in the ASA gets its factory default configuration.. then what i do is a copy start run to get the configuration active..
View 2 Replies
View Related
Jul 3, 2011
I have got a working 5505 running 8.3.1 firmware and 6.3.1 ASDM.I have now purchased a second unit and ensured that both units are running the same firmware levels etc.
I have via the ASDM created a backup of the working units configuration, and now i want to load this configuration onto the second unit.I have connected the consiole cable up to the second unit and tried pasting in the contents of the configuration file but no joy.I want to ensure that my configuration will work on this unit before i configure the two units in Active/Passiove configuration.
View 1 Replies
View Related
Feb 15, 2012
I used my Pix config to setup the ASA 5505.Everything seems to be right. I used ASDM to view settings and it seems right. I am missing something minor, but I am going blind looking at it.
I can remote into the network from outside, but internatlly I cannot get out of network. No internet or email is passing through.
: Saved
:
ASA Version 8.2(5)
!
hostname textasa
domain-name testcorp.com
enable password 579oWRzSY5syo9yt encrypted
passwd 579oWRzSY5syo9yt encrypted
[code]....
View 5 Replies
View Related
Aug 21, 2012
i hav asa5520 i copying configuration from PIX to ASA5520 (7.2) everything working fine bt problem is that after sometime my DMZ interface losing connectivity ...
View 1 Replies
View Related
Feb 24, 2012
How to set upo configuration & Security after reset
View 2 Replies
View Related
May 18, 2011
i just deployed Cisco NAC version 4.8.1 Virtual Gateway OOB on a LAN envieronment and on a WLAN envieronment, it works fine for some users , they can authenticate via the agent or web page, and then they are redirected to the access vlan, But for some other users in LAN and WLAN , when they try to authenticate via agent or web page the following error appears:
Invalid switch configuration-OOB Error:OOB client "mac/ip" not found.
I tried to find some pattern for the users but it dont match any pattern.
View 14 Replies
View Related
Dec 19, 2012
I have a problem exporting the config from a 1112 appliance.It does not boot up properly. GUI logon and authentication is not possible.I can console and SSH to it but the only thing i get is the commands below and nothing else.Could not chdir to home directory /home/admin: No such file or directory
View 2 Replies
View Related
Jul 15, 2007
I want to put the asa5520 to the factory default please let me know how to do that. how to remove the configuration file from it.
View 5 Replies
View Related
Dec 6, 2012
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
View 1 Replies
View Related
Apr 17, 2011
I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.
I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:
"sh run object" output:
object network DrJones host 10.81.220.90object network LAN-10.81.220.0 subnet 10.81.220.0 255.255.255.0
"sh run nat" output:
object network DrJones nat (inside,outside) static interface service tcp 4343 4343object network LAN-10.81.220.0 nat (inside,outside) dynamic interface
"sh run access-list" output:
access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 anyaccess-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit tcp any interface outside eq 4343
View 6 Replies
View Related
Dec 29, 2011
I've noticed that many people have routers with NAT as part of their security configuration. What NAT is/does? Also, I entered the router's settings and went to Advanced > Firewall > NAT ENDPOINT FILTERING .There are 3 options specified for UDP/TCP Endpont Filtering; they are:
Endpoint Independent
Address Restricted
Port and Address Restricted
What are these options? I downloaded the manual for the router but it doesn't mention what NAT, Endpoint Independent, Address Restricted, and Port and Address Restricted are.
Side Note: I thought about setting up a secure connection using WPA2. Right not I'm using an unsecured wireless network. If I setup a new secure wireless connection using WPA2 will my current unsecured connection still be available?
View 11 Replies
View Related
Aug 2, 2011
security configuration of the 1410 bridge and on how to test the bandwidth/throughput between two 1410 Bridges setup for point-to-point connectivity.
We have setup this in one of our Client sites.
View 3 Replies
View Related
Jun 7, 2012
I have a problem exporting the config from a 1112 appliance. It does not boot up properly. GUI logon and authentication is not possible. I can console and SSH to it but the only thing i get is the commands below and nothing else.
login as: admin
admin@10.10.1.126's password:
Last login: Wed May 30 11:11:42 2012 from jsmith
Could not chdir to home directory /home/admin: No such file or directory
acs>
API called before initialised at V:ismg_israel_acsAcsEndPointCoreendpoint.cpp:395
Command Description
----------------------------------------------------
? List commands
exit Log off
help List commands
csutil -dumpadmin Dump Admin Audit Information
csutil -dumpgroups Dump Group Audit Information
csutil -dumpusers Dump User Audit Information
csdbsync -syncnow RDBMS synchronization
View 5 Replies
View Related
Feb 23, 2011
I need to estimate the installation and configuration time of Cisco NAC (NAC Network Module spare for 2800, 3800 ISR) and Cisco NAC Manager(NAC Appliance 3315 Manager -max 3 Servers. There is some Cisco tool to estimate the installation and configuration time?
View 3 Replies
View Related
Sep 8, 2012
I am implementing wireless lan controller for a customer's site. This site uses Cisco WLC2112 and AIR-LAP1041. I configure via start-up wizard and WLAN security configuration. The client joining via WLAN seems to work fine, able to browse Internet. But when adding a shared printer or sharing files, the machine's unable to find the computer name. When test pinging, it replies when pinging by IP only. This is not happened when using a LAN wire.
View 3 Replies
View Related
Jul 18, 2010
I'm trying to configure the NAC Profiler with a 3310 CAS Collector. In the "Edit Collector" menú, it shows all the modules as "Running", except for the NetWatch module which shows a state "Invalid configuration file (missingInternalAddress)".
I configured the eth3 interface of the CAS as a monitor interface in the Profiler (see attached image), and I tested that the SPANed traffic actually reaches that interface from the access switch. I'm using software version 3.1.0_24 in both the Profiler and the Collector.
View 2 Replies
View Related
Oct 2, 2012
I have connected a 10BaseT device to a CISCO Catalyst 3560xPOE switch with dynamic port security. All seems to work fine when the distance between the two devices is closer then 200ft. When I connect to 10BaseT devices farther out near 300ft the response from the attached device is lost. It works ok on unmanaged switches at the longer distance. Is there a minimum response time from attached devices for dynamic port security to work properly? Is there any other explanation why it would work on cheaper switches, but not on the Port Secured Switch?
View 2 Replies
View Related
Sep 12, 2011
I configurated Ipsec vpn at asa 5510. my inside ip 192.168.10.156my public ip: 85.x.x.xmy peer ip : 62.x.x.x
the project is that:
the remote site want the interesting traffic like that:
source ip 172.16.1.104 can access destination ip 10.0.154.27
My inside ip is 192.168.10.0/0 and i can not to change it 172.16.1.0/24 and i can not to add this ip at my network.
View 3 Replies
View Related