Cisco Security :: SSH V2 Support Diffie-hellman-exchange-group-sha1?
Nov 22, 2006
one of my router are scanned by Foundstone and get an alert :
""The SSH2 protocol specification requires that a SSH2 server support the diffie-hellman-group1-sha1 key exchange algorithm. This key exchange algorithm is considered strong, but faces a potential weakness in that the same prime number is used for all key exchanges."
SO wanna check if cisco SSH2 can support the diffie-hellman-exchange-group-sha1? If yes, which IOS version required?
View 2 Replies
ADVERTISEMENT
May 29, 2013
I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version
Cisco Adaptive Security Appliance Software Version 8.6(1)10
Device Manager Version 7.1(2)
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
lbjinetfw# config t
lbjinetfw(config)# ssh
[code]....
View 3 Replies
View Related
Dec 26, 2011
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
View 2 Replies
View Related
Mar 11, 2013
I would like to ask whether SHA1 signature algorithm is available for FWSM. We use FWSM code version 3.2(22) in our production network where only MD5 signature algorithm is available. There is a need to upgrade to stronger algorithm SHA1. From my experience I know that this is possible on ASA firewalls running on 8.4. codes. Certificates generated on code 8.4. automatically use SHA1 with RSA Encryption.
Is it possible to have Signature algorithm SHA1 on FWSM? If so, in which code version?
hba-pf-a# sh crypto ca cert
Certificate
Status: Available
Certificate Serial Number: caf44050
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
[Code] .....
View 2 Replies
View Related
Feb 6, 2013
I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?
View 2 Replies
View Related
Dec 13, 2011
One of my client want to upgrade its already installed ASA5540-bun-k9 by adding CSC-20 Module. As per below link CSC-20 is supported with ASA5540. but for any reason the ASA5540 bundle option with CSC Module is not available that create confusion.Will CSC-20 Module work with ASA5540-bun-k9 [URL]
View 2 Replies
View Related
Apr 19, 2011
My company has started the migration from Windows 2003 to 2008 R2. Will my ACS Express boxes (currently running 5.0.1) ever have an upgrade option to work with 2008 R2? Do I need to trash the ACS Express appliances for some other solution?
View 3 Replies
View Related
Nov 18, 2011
i have asa 5505 adaptive security plus. and i have only 3 vlans . outside , inside , DMZ restricted.so it's working fine but i want to connect to my inside another private network, or do i need to buy License.and how i can activate the license key.
View 4 Replies
View Related
Jan 25, 2012
I have a new BGP configuration that consists of two asa 5510 and two routers 2911 at the back. My question is : Does asa 5510 support BGP?
View 1 Replies
View Related
Apr 20, 2011
Which IOS version of 3560-X switch support NAC-L2-IP ?
View 1 Replies
View Related
May 17, 2012
we have installed nac for our customer and it works fine ,but the customer want the change the version of kaspersky antivirus from 6 to 8 end point security ,when we have try this the nac agent does not find the antivrus on the the workstation . i want to know if this version of kasoersky (end point security ) is supported by nac ,if no is ther a solution to make it works with the NAC .
View 3 Replies
View Related
Jul 31, 2012
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
View 3 Replies
View Related
Apr 26, 2011
Just want to check out, does the non-Microsoft based OS client OS (Example: MacOS, Ubuntu, Android) support anyconnect v3.0 And also if my RADIUS server is host using window server 2008 Network Policy Server (NPS) component, can this doing the 802.1X authenticating?
View 1 Replies
View Related
Feb 12, 2004
i want to know if the new Catalyst 3750 Support Private Vlan ?
or any other small Switches
View 3 Replies
View Related
Jan 6, 2013
I recently got a refurbished external (USB) wireless adapter by Netgear. It's the WNA3100 but who knows what they did to it while refurbishing it.
I tried using it to connect to the wireless network at my university, and I got the above-displayed error. So what's the deal? This RADIUS thing is not a new technology, right? So any modern wireless adapter should be able to handle it. Why would this thing not support it?
Secondly, if it doesn't work, that's alright. I need a second wireless adapter anyway, so I could use this one at home where the RADIUS thing is not an issue. But how do I make sure this does not happen again with another one that I buy? I can't seem to find anywhere in the specs anything about this compatibility. For instance, I believe I want to get this one next:URL
View 15 Replies
View Related
Dec 17, 2012
Is it possible to cisco 1941 security bundle router Support minimum of 2k of VLANs ID and shall support upto 60 vlans?
View 4 Replies
View Related
Aug 7, 2012
I have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?
View 3 Replies
View Related
Apr 13, 2013
I am new to Exchange Server 2007 . I want to know that in order to implement Exchange Server do I need to register Domain name like [url]... ? OR A FQDN of Active Directory can work.Is it compulsory to register domain ?
View 3 Replies
View Related
Nov 7, 2012
i have exchange with NLB cluster.
i want to PAT the cluster ip to access email from outside. i know i can add the static arp entry for multicast cluster ip.
my question is i can add static nat command to that same cluster ip for port 25 and 443 like normal way like we do for normal PAT?
View 2 Replies
View Related
Oct 23, 2011
I have a problem with Cisco WLC 2106 (SW: 7.0.98.0) and LAP1262. The client roams to new AP, associates with the new AP and authentication (WPA2 with EAP-TLS) runs fine until WPA2 key exchange.
The first WPA2-Key-paket from AP (1 / 4) is sent twice. On a closer look at those packets with Wire shark, i've found out the first is encapsulated into a 11n-frame (A-MSDU). The resent frame isn't. This figure shows the first WPA-Key-packet:
The next figure shows the 2nd key-packet, without 11n-encapsulation: The problem, that occurs a very long roaming-time with about 5 seconds. As you can see on second figure, the second wpa-key is sent 5 seconds after the first.
Some details:
Client: Tablet PC with Intel 6230 agn
Controller: Cisco WLC 2106
AP: LAP 1262
Controller SW: 7.0.98.0
Encryption: WPA2-AES
Authentication: EAP-TLS
This problem occurs just on 5-GHz interface with 40 MHz channel bandwidth.
View 4 Replies
View Related
May 1, 2012
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
View 3 Replies
View Related
May 2, 2012
I'm looking for an online-service, where I can share files. Something like a forum, but not to text, but to share files (mostly MS office files). Main criteria are:
1) Access only by an account created by the admin (--> limited amount of members)
2) possibility of moderation through admin (meaning that I can determine, who can access which folders, who can upload/change/delete files).Something like OLAT, moodle, or blackboard, for those who know, only smaller.Would I need to create something new or is there some service already existent, where I could rent space?
View 1 Replies
View Related
Mar 3, 2012
We use microsoft exchange for outlook. I want to know which ports are being used by our exchange server to receive and send emails. Is it possible to check that?
View 1 Replies
View Related
Sep 7, 2012
We started out by switching them over from a normal POP server email service through Outlook and getting them onto Charter hosted Exchange. However, after getting them all set up, we had intermittent connection problems keep occurring. Here is what I know so far:
-the problem is with their network for sure
-re-imaged computers and reinstalled office
-any connection to exchange.charter-business.net is intermittent from their location only.
-replaced modem, router, switch
-tried different DNS servers, same problem
-used their DNS servers from another location, no problem connecting
Once we replaced their switch, the problem morphed a bit. Now, one of them can be connected at any given time without having problems. However, when the other tries to connect, they can't get through. E.g, if user #1 closes outlook, user #2 can now connect without problems.
View 3 Replies
View Related
Sep 11, 2012
Add static route for new exchange server?
View 1 Replies
View Related
Feb 26, 2013
We have the following setup on our Cisco ASA version 8.6.1 One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover. So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.
View 4 Replies
View Related
Aug 16, 2011
We have a ASA5510 with a webserver in the DMZ network 10.2.2.0/24. We now want this web server to be able to access the Exchange server in the Inside network 10.1.1.0/24. I researched this and it seemed straight forward according the the Cisco document below:
[URL]
I'm looking to do this with smtp so I added these lines to the config:
static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
The configuration line:access-group DMZ in interface DMZ Already existed in the configuration so didn't need to be re-entered.
ASA Version 8.0(4)
!
hostname xxxx
domain-name xxxx.com
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
[code]....
View 28 Replies
View Related
Sep 10, 2011
I am getting the following flooding the logs on my RV220W (IP Address replaced with X.X.X.X)
2011-09-12 00:58:54: [rv220w][IKE] ERROR: Invalid exchange type 243 from X.X.X.X[500].
2011-09-12 00:58:54: [rv220w][IKE] ERROR: Could not find configuration for
[Code].....
These are all coming from the same IP Address which is running Windows 7 Enterprise X64 using a WIRED connection.
View 3 Replies
View Related
Dec 8, 2011
I am tasked to Configure an ACE 4700 for SLB. This has been done and working. Am also further tasked to create a secure communication between tha ACE and Exchange server. I need the breakdown of steps required to Import certificate from the exchange server, and how to verify that things are working.
View 3 Replies
View Related
Jan 16, 2013
Need the clarity on IKE version 1 with aggressive mode, I assume this is used for remote site VPN and not for site to site VPN.
Correct me I am wrong and also share the inputs on this.
Also required the inputs for disabling in Cisco 3800 series router.
View 18 Replies
View Related
Oct 20, 2011
I am trying to configure the NLB multicast for the Microsoft exchange. The moment I am enabling the NLB my core switch 6509 CPU is reaching 100% and whole network getting down. [code]
I thinking I am putting wrong command. I am not able to see the disable-snooping in 6509 Switch.
View 7 Replies
View Related
Jun 1, 2011
How to uninstall exchange server 2003 from domain controller?
View 1 Replies
View Related
Aug 28, 2012
Currently, my company runs a DC and exchange server in the building. It is also hosting our website with IIS7. All AD users currently have @company1.com.au email addresses.We have just started an off shoot company and would like to setup emails in exchange so that we can automatically assign and manage emails on the same exchange server. so that each user hasWhat is the best way to do this?At the moment, company2.com - company is hosted outside with someone else. Is there a way that he can direct the mail to us so that he hosts the website but we host the email server?
View 1 Replies
View Related
