Cisco Security :: ASA 5510 Object-group And Range Option
Feb 6, 2013
I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?
View 2 Replies
ADVERTISEMENT
Apr 7, 2013
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
View 5 Replies
View Related
Oct 29, 2012
We have Cisco ASA 5510, I am about to add another 2 Objectgroup network groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?
View 3 Replies
View Related
May 16, 2011
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
View 8 Replies
View Related
Feb 5, 2013
Any one know when object-group ACLs will be supported in cat4500 IOS-XE ?? Doesnt seem to be supported now.
View 1 Replies
View Related
Jan 2, 2012
In cisco router 2911 how to creat a network object with port permission on ACL. herz what i have done but couldnt succeed in port 22 and 24 should be denied and rest all port services are allowed to outside interface. [code]
View 3 Replies
View Related
Feb 16, 2011
I have two layer 3 switches C3560 and C3750 Cisco switches with ios version "ipservices-mz.122-35.SE5".Now with the current ios version, these layer 3 switches are not supporting object group.so my question is , do i need to upgrade the ios, for this feature, if yes, which version ?
View 7 Replies
View Related
May 2, 2011
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
View 5 Replies
View Related
Dec 31, 2012
Can i use acl object group with wccp redirect list?My platforms are 6500 and isr 2921
View 1 Replies
View Related
Oct 25, 2011
I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
View 1 Replies
View Related
Jul 20, 2011
I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL. Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP. I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined? I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL. I really don't want to have to create new object groups if I don't have to.
View 2 Replies
View Related
Jan 30, 2012
I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it. I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists. Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
Do I have to create an network object for each and every IP i want to nat through?
View 1 Replies
View Related
May 9, 2012
I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.URL
Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
View 2 Replies
View Related
Jun 16, 2013
2504 wlc,When I open Controller and on the General page, if I make a change and apply it that change does work. But I get a popup message say Multicast Group address should be in range of 224.0.0.0 - 239.255.225.255.
Do I need to but something in there?
View 6 Replies
View Related
Dec 17, 2007
When ever I create a network object in ASDM 6.0(3) the UI also wants to send the command 'asdm location (network object IP address)' to the device.What is the purpose of 'asdm locaction ....'? Is it telling the ASA-5540 that the IP address is allowed to connect to the device using ASDM?If that is the case why does 'asdm location xxx.xxx.xxx.xxx'get denerated for every network object I create?
View 3 Replies
View Related
Aug 1, 2011
Does there are plans to include support AES256-CTR (vice AES256-CBC) in IOS code?
View 2 Replies
View Related
Mar 28, 2011
Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco 1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113 Appliance as radius server. For username and password, ACS will export the data from Oracle database (production DB). The problem that we are facing right now is password that store in oracle database is in encrypted format. Base feedback from our database administrator, the encryption is done by oracle - application layer and cannot be decrypt back. In Oracle they call it "Oracle Stored Procedures"
My questions :
1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
View 2 Replies
View Related
Dec 12, 2012
I want to disable the telnet option/feature on ASA 5510
i tried no telnet alone it wont work as i didnt configured any telnet at all.
View 1 Replies
View Related
Oct 20, 2011
I have two tunnel groups using WEBVPN , I have local users at ASA 5510 version 7.2.
How can I authenticate one user in only one group?Now with local users I can loggin in both tunnel groups
View 1 Replies
View Related
Apr 5, 2011
I can not have "dns server-group" on my asa 5510, could you tell me how to get this command in my ASA 5510.
View 3 Replies
View Related
Aug 8, 2006
ASA 5510 security plus edition will it support active/active failover. and does it support context with securiyt plsu edition. and how many default context do we get with asa 5510 security plus edition.
View 3 Replies
View Related
May 13, 2011
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?
View 3 Replies
View Related
Nov 20, 2012
I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
Internal network has 4 VLANS. Need solution for below.
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
Is it possible to configure Group policy in ASA for IPsec Remote VPN.
View 1 Replies
View Related
Apr 7, 2011
Last time, i´ve implemented a Remote Access VPN to my network with ASA 5510 I´ve allowed to my VPN an acces to all my Internal LAn But i want to configure a group of vpn in the CLI for have different group of user which can access to different server or different network on my LAN.
Example : informatique group------access to 10.70.5.X Network
Consultor group -------- access to 10.70.10.X Network
I need to know how can i do that , and if you can give me some eg script for complete this Here is my configuration :
ASA Version 8.0(2)!hostname ASA-Vidruldomain-name vidrul-ao.comenable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.X!interface Ethernet0/1 nameif inside security-level 100 ip address X.X.X.X 255.255.255.X!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 description Port_Device_Management nameif Management security-level 99 ip address X.X.X.X 255.255.255.X management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name vidrul-ao.comaccess-list 100 extended
[code]....
View 2 Replies
View Related
Nov 22, 2006
one of my router are scanned by Foundstone and get an alert :
""The SSH2 protocol specification requires that a SSH2 server support the diffie-hellman-group1-sha1 key exchange algorithm. This key exchange algorithm is considered strong, but faces a potential weakness in that the same prime number is used for all key exchanges."
SO wanna check if cisco SSH2 can support the diffie-hellman-exchange-group-sha1? If yes, which IOS version required?
View 2 Replies
View Related
May 16, 2013
I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.
WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.
View 4 Replies
View Related
Dec 13, 2011
I have seen a few of these 305005 threads and they're usually related to NAT and resolved quickly. I have poked around a little, but can't seem to get it right. I'm using the Real-Time Log Viewer in my ASA 5510 and see lots of these 305005 errors between VPN clients and a server. Packet Tracer says it's being stopped at the PAT_POOL dynamic traslation to pool 1. I'm not solidly sure of what to change. [code]
View 9 Replies
View Related
May 31, 2011
I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.
View 3 Replies
View Related
Apr 8, 2011
can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any
View 3 Replies
View Related
Sep 11, 2012
We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.
View 4 Replies
View Related
Jan 10, 2013
I have seen many of these errors lately. We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
[code]....
View 6 Replies
View Related
Aug 17, 2011
We have two Cisco ASA 5510 Firewalls at one site, and two non-Cisco firewalls at another. Both firewall pairs are configured for high availability (Active-Passive), and both have redundant links to the Internet via routers running HSRP. In the event that one of the Internet routers were to fail, we require the VPN to dynamically move from using the old path via the failed router to using the new router with minimal downtime.
I have been looking at using VPN load balancing to achieve this but the only configuration example I can find is for Cisco VPN Client url... Is it possible to define a static crypto map with the VIP of the load balanced group as the peer IP? So in the non-Cisco devices I will define the VIP of the load balanced group?
View 1 Replies
View Related
Apr 19, 2010
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
View 12 Replies
View Related
