I am installing a new 5520 with IPS for a client, and they were asking about the PCI compliance of the SSL(WebVPN) being self signed. I am not sure what document to find this information from under the PCI DSS. There was also mention about dual authentication being needed, but without seeing the actual requirements, I am just guessing at it.
What is required for making SSL PCI compliant.
Using LMS 3.2, I've started learning how to use the compliance templates.is there a regex to ignore case? For instance, if I have the line:
clock timezone est -5 in some configs, and
clock timezone EST -5 in others
is there a way to tell the template that upper case and lower case are acceptable matches?
During our recent VA we were told that the below vulnerabilities are exist in the ACS SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability on port 443
SSL Weak Cipher Suites Supported on port 2030
SSL Medium Strength Cipher Suites Supported on port 2030
I want to add the command "no logging event link-status" to all switchport mode access ports EXCEPT for the ones with the following switchport access vlans: 4022,4032,4042,4052,4072 & 4082. How do I create a compliance template to do this? LMS 3.2, RME 4.3.1
View 6 Replies View RelatedI am trying to create a very basic template in compliance manager that checks for interfaces that aren't members of specific VLANs. VLAN 10 being one of them. I want to match interfaces assigned to VLAN 20. According to the documentation I have read, the following range statement should work because 10 falls between 3 and 19:
Submode: interface [#.*Ethernet.*#]
- switchport access vlan [#[3-19]#]
With the preceeding statement, however, interfaces assigned to both VLAN 10 and VLAN 20 are matching the rule. With this specific rule (not a range), only interfaces w/VLAN 20 are processed by the template, which is expected. We actually have numerous VLANs that we want to exclude/include. I only mentioned VLANs 10 and 20 for brevity.
working with a trial version of Cisco Prime 1.2. I am looking for a Configuration Compliance tool. I used it in Cisco Works LMS - but I dont see a way to do the same thing with Cisco Prime.
View 1 Replies View RelatedI'm having a hard time getting Compliance Manager to accept a "banner login" command I'm attempting to use on 6500 IOS switches. I've edited the template, tried cut-&-paste, looked for the archive file on the server to directly modify it (without success), among other things. I have this feature functioning correctly on CatOS switches, but can't seem to get it properly set on IOS switches. What's the limit, as far as the template is concerned, on the number of characters with this type of command? Where are the archive configs located on the server; in the "shadow" directory?
View 1 Replies View RelatedI have a customer asking if Cisco supporst CISPR11 - Class B. All Cisco switches appear to support CISPR11 - Class A only. What is the difference? Is Class B supported?
View 0 Replies View RelatedWe use SecurityMetrics as our vendor for PCI compliance scanning. Of all our servers, only the video server fails their scan, and this is their result: "This scan is inconclusive. Though your server had open ports, we were unable to connect to any of them successfully. There is a high probability that some type of firewall or scan-detection software is blocking us from accurately scanning your server. Please configure any firewall or software that would interfere with our scans to allow all traffic from SecurityMetrics" Our streaming video server is our only public-facing server that has port tcp/udp 1755 open (for the mms protocol). All our other servers behind this firewall pass the test, but they only have standard email and http ports open. I am assuming that their scan of port 1755 triggers some sort of threat detection on the ASA. (I have "Basic Threat Detection" enabled only.)
View 1 Replies View Relatedi am currently trying to use LMS 3.2 Compliance management to verify and alter our access port configurations for 802.1x. Below is our current configuration
View 1 Replies View Relatedhow to check compliance for only one access list in cisco works.
Example:
I want to run a compliance template that only check access-list 13 to make sure it has the following and nothing else:
access-list 13 permit 1.1.1.1
access-list 13 permit 10.1.0.0 0.0.0.127
If something else is listed, then I'll deploy the template and it will remove any other entry besided the two above.
I have tried a Global config compliance on + access-list 13 permit 1.1.1.1 and it comes back and says it's not compliant and wants to remove everything else, which is every other access list. I have tried submodes thinking that it could check under ip access-list standard 13, but that didn't work either.
confirm whether the Catalyst 3550 with IOS Rel. 12.2(44)SE is compliant with POE IEEE 802.3af? I see some conflicting informaiton on Cisco's web site. Before Release 12.1(22)EA2, Catalyst 3550 PoE-capable switches (without intelligent power management support) caused high-power powered devices that supported intelligent power management to operate in low-power mode. Devices in low-power mode are not fully functional.
IEEE 802.3af—The major features of this standard are powered-device discovery, power administration, disconnect detection, and optional powered-device power classification. For more information, see the standard.
I'm trying to turn off SSH version 1 & 2 to pass PCI compliance. Problem is, I cannot touch the VPN link between the two offices. I'm afraid the PKI certificate used for the VPN will be deleted if i zeroize the RSA key which seems to be the only way to stop the router responding on port 22.
Here is the stuff from the running config related to the crypto map:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
[ code].....
I'm only CCNA so I'm not even sure if the certificate or RSA key is being used for the VPN link, but I can't tell from the running config that zeroizing it would be a good idea and not break the VPN. I'm open to other ways of disabling SSH, as we are able to just connect using a console cable. But it looks like denying port 22 with an access-list doesn't even stop the router from responding to the port.
I'm keep failing my pci compliance test I have a wrvs4400n and I keep getting "firewall udp packet source port 53 ruleset bypass" i've blocked port 53 but keep getting rejected. How to set the router?
View 1 Replies View RelatedIs the Aironet 1400 bridge FIPS 140-2 compliance? Based on the Release 12.3(8)JA, the Cisco IOS software release 12.3(8)JA is undergoing FIPS 140-2 Level 2 validation. Does it mean it is FIPS 140-2 compliance with this software level to run on Aironet 1400 bridges? [URL]
View 1 Replies View RelatedI am trying to get our internal network PCI compliant and when I run a network scan from securitymetrics.com I receive the following message about our RV082 router.
Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also :[URL]: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0
I have been googling many different search terms for ssl ciphers, rv082, and pci compliance but didn't see any solutions to this. Any experience with ssl ciphers and how to use more secure ciphers? I just performed a firmware upgrade to 1.3.98-tm in hopes that it would fix this issue.
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies View RelatedAfter having a hard time getting the VPN back to default, I logged into the ASDM and reset to factory defaults. After it reset, I logged in via the management port and configured everything to work. When I clicked on "apply", it gave an error saying that the inside interfaces, g0/1, IP address is on the same network as the management interface. When the ASA restarted, I am now unable to get into the unit via the management port or the inside interface.
I had set the management port to 10.0.1.254. WHen I connect an ethernet cable to it and place my mac on the the same network, I can ping the management interface, however I cannot SSH, Telnet or ASDM into it.
Here is the big problem, I don't have a console/rollover cable to connect to the console interface. Is there another way I can default the box? Maybe via the reset button on the back somehow? Or, is there a way to figure out the ip address of the inside interface? I'm assuming, since it did not take the IP I set, that it defaults to something right?
I cannot seem to ping between devices on two networks hanging off a 5520 unless I use the same-security interface command. I have the relevant ACL's set up between the interfaces, but it just doesnt work unless I have that command in - if I use that command, it bypasses the ACL.
Config
interface GigabitEthernet0/0.224
description NMS
vlan 224
nameif NMS
security-level 100
ip address 10.11.120.225 255.255.255.240[code].....
We are attempting to implement an ASA 5520 with a new ISP. Based on the limited routing needs, I believe we can use it as the router as well. I am familiar enough with routers, but the ASA is obviously a different thing.
The setup looks like:
ASA Version 8.2(1) !
host name Cisco
interface GigabitEthernet0/0description Internet name if Outsidesecurity-level 0ip address 69.XX.46.1 255.255.255.252 !interface GigabitEthernet0/1
description DMZnameif DMZsecurity-level 0ip address 69.XX.56.1 255.255.255.240
!interface GigabitEthernet0/2description Localnameif Insidesecurity-level 15ip address 10.0.XX.XXX 255.255.252.0
[Code] .....
1) Outside 0/0 connects to MRV from service provider (Public)
2) DMZ 0/1 connects to outside switch with servers (Public)
3) Inside 0/2 is LAN (Private)
A) Based on a completely default config and aside from setting the routes to send traffic from inside to outside, and outside to DMZ, what is the next step?
B) What should the interface security levels be, I am unsure what they should be or why...?
Based on the initial config with interfaces set as above, I cannot move traffic through.
I got a VPN request form from one of our partners. On my side I have one ASA 5520 running 8.0(3) On their form, It says that their endpoints are two boxes, sitting on different cities, It also says that there is only one encryption domain, (actually just one IP) that I need to speficy on the VPN setting. It looks like they mean that you could access the same encryption domain from any of the two Boxes in different cities. This is strange to me, since every time I have set up VPN before, each endpoint has their own encryption domains.I never seen two enpoints with the same encryption domain behind, so Im confused wether it might be a mistake on their part, or this is expected.
View 1 Replies View RelatedIs it possable to use rsa token on the ASA without setting up any other server just using the ASA, out clients use the cisco vpn client version 5.0.07.0290 and IOS 8.3(1), How would this be done?
View 3 Replies View RelatedI am trying to configure a SSL VPN on a Cisco ASA5520. Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage. I don't either want to use a different port so to keep life easy for the users.I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface.
View 7 Replies View RelatedI have connected an ASA 5520 firewall DMZ to SERVER (17) vlan in core switch and INSIDE is connected as trunk to the core switch (including vlan 15,18). now the management ip of the switch is 10.xx.xx.126/25. and the other vlans are showing "administratively down"..but if I enter to any of the other vlans and do a "no shut", that particular vlan wil go UP but the other 2 will go down..means only one vlan become up at a time.
View 4 Replies View RelatedCan i use at one site ASA 5520 and another site Router to configure VTI tunnel with OSPF routing?
View 1 Replies View RelatedI have an iPAD. It connects to my ASA5520 via IPSEC. When it connects it gets an IP address from the ASA but it does not get any of the other stuff. Specifically the DNS suffix. How to correct it?
View 3 Replies View RelatedI have a L2L VPN tunnel on a Cisco ASA 5520 that I'm trying to get RRI to work on. On my cryptomap ACL I have defined a local object-group and a remote object-group, and I'm performing one-to-one NAT on the local group. I also have a route map configured that will take the static routes and redistribute them into my EIGRP AS. Two things I've noticed -1, I'm not seeing any static routes on my ASA that point to the remote subnets, and 2, the ACL that I've used in my route map definition is not getting any hits on it.
View 2 Replies View RelatedI'm trying to setup a tunnel from our Cisco 5520 to a 5550 using one of our external ips natted through this tunnel. For some reason traffic that should hit this tunnel goes through global nat. Here is the configs I have for this tunnel:
access-list policy-nat extended permit ip host 66.77.88.170 host 1.2.3.4
access-list Outside_cryptomap_60 extended permit ip inside-network 255.255.254.0 host 1.2.3.4
access-list Outside_cryptomap_60 extended permit ip host 66.85.99.170 host 1.2.3.4
[code]...
If I ping 1.2.3.4 from a inside ip host I see in the logs that it uses 66.77.88.136 as the NAT and not 66.77.88.170. Do you see something wrong with this configuration?
I'm currently running 8.3(2) on my 5520s in an active/standby config. The 5520s have the 2GB RAM upgrade and 256MB flash card. Are there any CPU limitations in going to 8.4? I read the release notes but didn't seen anything about CPU. I heard through the grapevine that a 64-bit processor may be needed. We currently have the Pentium 4 Celeron 2000 MHz CPU.
View 1 Replies View RelatedI have connected an ASA 5520 firewall DMZ to SERVER (55) vlan in core switch and INSIDE is connected as trunk to the core switch (including vlan 66,77). now the management ip of the switch is 10.xx.xx.126/25. and the other vlans are showing "administratively down"..but if I enter to any of the other vlans and do a "no shut", that particular vlan wil go UP but the other 2 will go down..means only one vlan become up at a time.
View 1 Replies View RelatedI have a 5520 VPN that is otherwise correctly configured for access (so I would say). It is in test (external IP x.x.x.10/22) running parallel on an external switch to a Check Point (x.x.x.4/22) that is the live setup.
I can tunnel consistently to the outside interface on its external IP from inside the network, which is probably natural since I'm inside the network making the attempt; however...
When attempting connection from somewhere outside the network, I generally do not get response from the device. If I connect/disconnect from the Check Point VPN first, then I can subsequently get a connection to the ASA. I did actually have one instance of non-massaged connectivity to the ASA, but there was nothing that I did in the configs that would allow me to claim credit for that instance.
So here's the question: Is there a timeout setting that makes the outside interface go to sleep or something? I'm still at the developmental stage where settings that would be obvious trip me up for hours. I verified the routes. the timeout configs are below; I believe they are all default..
arp timeout 14400
!
timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00
I have setup IPsec remote vpn users into the Cisco ASA 5520 using Radius into my main network. Works just fine. I have site to site tunnels from my Cisco ASA5520 going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I would like my IPSec remote VPN users to be able to traverse into those site to site tunnels to access the remote subnets attached to those tunnels. Do I need to use a combination of routing and ACL's? Or do I just use ACL's only? Or do I just use routing only?
View 2 Replies View RelatedWhen I try to put my ASAs in active/standby config here is the error I get.Warning: Failover message decryption failure. Pleas make sure both units have the same failover shared key and crypto license or the system is out of memory.
View 1 Replies View Related