Cisco WAN :: ASR1002 Running SubPackages And IOS Vulnerability?
Apr 19, 2012
We have ASR1002 routers configured to run individual SubPackages, at this point everything is operating without problems.We just received a Cisco Security Advisory informing us SSHv2 is vulnerable in our version of router code.We have to upgrade to the recommended stable release, so we downloaded, installed and expanded the IOS to expose the SubPackages on the ASR routers bootflash.
Since we are running SubPackages, do we need to upgrade all SubPackages (I.E. complete IOS upgrade) of can we just upgrade the vulnerable SubPackage? How do you determine which SubPackage contains the SSHv2 application?
View 2 Replies
ADVERTISEMENT
Dec 9, 2012
if SSH v1 is considered vulnerable why is it still enabled by default on the ASA 8.4 by default?What is the vulnerability impact of using SSH v1 on an ASA?
View 1 Replies
View Related
Feb 20, 2013
Faced this recent vulnerability?
[URL]
My understanding is that for ASA 8.4.1 and prior, there's a vulnerability that opening many ssh sessions and one of them times out, the firewalls crashes!
As we have many customers with ASA using 8.2.5(26) (for example) I'd like a confirmation that for fixing that bug I need to upgrade my ASA image to at least 8.4.x.Case that, I believe that all the former firewall configuration must be reviewed because 8.2.x version has many different commands that 8.4.x (for example, NAT)
View 19 Replies
View Related
Mar 16, 2012
I would like to perform vulnerability scan on Cisco switch and router.Is there any free vulnerability scan tool recommended for Cisco device ?
View 2 Replies
View Related
Jul 19, 2012
I had a bad expirience with Switch 3750-X. Because of an auditing security processess, my customer ran a software called "Nessus" to do a scanning of vulnerability on the network. When this software is point to switch, the process of the switch will next to 100% and reset. The software only do a listening on the ports to see what ports are opened and the switch should not reset because this. Bellow is the log os switch on the moment of test; we note that the processess 'HTTP' rise moments before the switch reset. I disable the HTTP service on switch but the problem persist. The test was made only one machine connected to switch.
View 4 Replies
View Related
Feb 28, 2012
i am using asa821-k8.bin image, in my cisco 5520, How can i check if my IOS is vulnerable ?
View 4 Replies
View Related
Oct 10, 2012
We had a PCI security audit of an existing VIP on our ACE 4710. The VIP is set up as HTTPS terminating on the ACE with a http redirect for all 80 traffic. The audit reported this VIP was vunerabled to the Cisco "IOS HTTP Authorization Vulnerability". Which basicly states, http Management is on this IOS device. It does not make any sense, as the VIP is pointed to a pair IIS servers?
[URL]
View 2 Replies
View Related
Feb 16, 2011
Nature of the vulnerability that FW 1.31 is said to correct?
View 5 Replies
View Related
Jan 4, 2012
I have a DIR-600 C1 running the latest available firmware version (3.03).
Model: DIR-600
Hardware Version: C1
Firmware Version: 3.03
WiFi Protected Setup is turned ON.I would like to know if it is affected by the new disclosed vulnerability described here:[URL] Also, turning WiFi Protected Setup OFF may not assist to mitigate this vulnerability?
View 2 Replies
View Related
Apr 14, 2013
Apparently there is a vulnerability issue which was just discovered with TP-LINK TL-WR841N wireless router running firmware version: 3.13.9 Build 120201 Rel.54965n and below,as described here: [URL] and here: [URL] there latest firmware 3.13.27 Build 121101 Rel.38183n already addressing this issue or is there any other planned correction expected to address this vulnerability issue ?
View 5 Replies
View Related
Jun 11, 2013
I have 30 switched in my corporate network it’s all up and running all switches running by default configuration and connected to WS-C4506 core switch our dhcp server pooling 192.168.100.1/27 network. Now we need to configure new Vlan for finance department this department has more than 200 users. If my server distributes 192.168.200.0 range ip can vlan2 automatically assign ip 200.0 addresses to finance department.All switches running default config no ip address assigned.
View 9 Replies
View Related
May 7, 2013
I need to replace an existing ASA 5540 with a new ASA 5525X. I would like to pre-stage and configure the new box with the existing config, migrate license and export certificate files before swapping it with the old one during a change window. The new firewall will run 9.1 on deployment. Now the same 7.2(4) cannot just be copied over to 5525X running the minimum 8.6 version. There is a Web based tool available at [URL] according to Cisco documentation but the page does not load for me (Cisco intranet only tool ?). Is there another tool for automatic conversion ?
View 3 Replies
View Related
Apr 9, 2011
I was informed by a co-worker that there is a security vulnerability with the local certificate authority in the ASA running 8.3 code. I've looked through the security advisories and haven't been able to find anything about this. Was this just misquote or am I missing the security advisory release?
View 1 Replies
View Related
Aug 25, 2012
I am going to configure the NATing on ASR1002 and expecing to have near about 1Million nat translation. Will ASR1002 support 1million nat translations ? how many NAT translations are supportable on the ASR1002 ?I am going to configure NAT on ASR1002-5G/K9 U& have FLASR1-FWNAT-RED.
View 1 Replies
View Related
May 29, 2013
Right now I have a ASR1002 running a very old IOS version.Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XNE, RELEASE SOFTWARE (fc1) asr1000rp1-ipbasek9.02.05.00.122-33.XNE.bin – 25-NOV-2009?
I am looking to upgrade to a newer version.I was wondering if there are any tricks when upgradeing this IOS. Is it as easy as loading the IOS onto the ASR and then changing the bootpath or is there an upgrade path I must follow? Also would there any need for a licence between 2.x and 3.x.
View 2 Replies
View Related
Jan 27, 2011
The loopback of the ASR1002 is 2.2.2.2. When I use a browser to access it, I got the authentication dialog box asking for username/password. I input the information and submit. But authentication box comes back again and ask for the username/password.
The username/password is test okay. But somehow, the web GUI just does not use it.
View 2 Replies
View Related
Feb 5, 2009
Is the GLC-LH-SM SFP compatible with the ASR1002 and how does it differ from the SFP-GE-L adapter?
View 4 Replies
View Related
Mar 11, 2012
We have an ASR1002 with asr1000rp1-adventerprisek9.03.05.01.S.152-1.S1.bin software.I couldn't find any documentation on how to attach an L2 interface, in my case a subinterface with a single dot1q vlan, to a BDI interface.I'm able to create a bridge-domain interface but it's down down.The command bridge-domain on the subinterface url...
View 2 Replies
View Related
Aug 17, 2011
I'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.
View 2 Replies
View Related
Jun 25, 2012
One of our customer just purchased ASR1002 router, they have three internet links from different ISPs and they dont have any remote site, they have three different public IP pool as their respective ISPs. So, is it possible to load balance the internet traffic using all three link on Cisco ASR router ( IOS - Advance Enterprise Services)
View 3 Replies
View Related
Oct 14, 2012
We have a cisco7206 router which is going to be replaced with an ASR1002 router. The 7206 has some interfaces in a BVI-group - the config of which i am trying to translate over into IOS XE (which runs on the ASR1002). How to translate this config from IOS to IOS XE.
View 3 Replies
View Related
Oct 18, 2011
We are having an issue with BGP flapping peer. We have a ASR1002 as Route Reflector and it work fine with all peers except with 2 peers.
View 3 Replies
View Related
Apr 6, 2013
im trying to create a VPN between a Cisco ASA5510 and an ASR1002 when my Loopback interface is The Source IP . [code]
View 1 Replies
View Related
Oct 23, 2011
what command is required to configure ip accounting on an interface?
I would have thought to what is required is on the interface, turn on Ip accounting i.e.
int gi0/0/0
ip accounting
However, there is no ip accounting command within the interface. We are running version Version 15.1(1)S2.
View 6 Replies
View Related
Dec 27, 2011
During the boot ios we found the error messages below. How can i clear this messages?
Missing or illegal ip address for variable DEFAULT_GATEWAY Using midplane macaddr
Missing or illegal ip address for variable IP_ADDRESS
Missing or illegal ip address for variable IP_SUBNET_MASK
View 2 Replies
View Related
Jun 19, 2011
I've inherited a project building an internet connectivity solution for a large corporate. It has its own AS and its own PI space. They are putting in 100Mbit connections from 5 different Tier1's , taking full internet routing from each. Cisco ASR1002's have already been specified and purchased for the job. I'm not familiar with the ASR platform at all - is it up to the job with full routing tables? multiple instances of full tables ? (not likely to put all 5 into one box!)
View 2 Replies
View Related
May 31, 2012
we are using an ASR 1002 for dynamic NAT (with route maps). I do have a Problem with the usage of the NAT pool it self.The total NAT Translations for the pool are:
#sh ip nat stat
[Id: 1] route-map natted-host-01 pool nat-pool-01 refcount 136
pool nat-pool-01: netmask 255.255.254.0
start XX.XX.202.0 end XX.XX.203.255
type generic, total addresses 512, allocated 88 (17%), missee 0
If i now look into the NAT translation Table i do get less entries:
#sh ip nat translations filter map-id dynamic 1 total Total number of translations: 43
Only a deeper look into the QFP gives here the right values:
# sh platform hardware qfp active feature nat data The ouput count matches the values I get if i isue a sh ip nat stat
My question is how is it handled internally.
We do have a problem too, with raising usage of the pool over the time.Once allocated Pool entries are not released after a period of time. And no NAT translation occur for that used IP NAT pool Addresses.
The timer on the device are set:
ip nat translation timeout 300
ip nat translation tcp-timeout 900
ip nat translation pptp-timeout 900
ip nat translation udp-timeout 120
ip nat translation routemap-entry-timeout 900
ip nat translation max-entries 750000
View 1 Replies
View Related
Aug 15, 2011
I am trying to bring up a couple of ASR's. They are fitted with SPA modules (SPA-8X1GE-V2). These have SFP modules GLC-T fitted into them. For the life of me I cannot get these ports to come up. If I have a look at the inv the SFP's show as GE-T's (physically they are GLC-T's)
Is there a compatability problem with these GLC-T's on ASR 100x?
View 3 Replies
View Related
Jun 13, 2013
we are testing an ASR1002-X which acts as LNS for L2TP tunnels.
- All tunnels are UP (sh vpdn all return list of tunnels)
- VirtualAccess interfaces are UP
- C routes are added in routing table
but ping remote IPs don't work !!! [code]
View 1 Replies
View Related
Sep 5, 2012
I am trying to configure the NetFlow Top Talkers function on an ASR1002 with ADVENTERPRISEK9-M, Version 15.2(4)S. With this new Hardware and Software I am surprised to see that the command:
ip flow-top-talkers
top 50
sort-by packets
cannot be found on the CLI - it's just not there.
View 1 Replies
View Related
Jun 30, 2011
I have recently purchased ASR1002-RP1-ESP5 with 2 x 4K Broadband licenses to be used as LNS. Cisco have sent me PAK files for the licenses however when I try to enter the licenses into the device I get an error message saying that Licensing is not supported on this platform.
Any experience with this platform and installation of the broadband licenses?
When I spoke to Cisco TAC they told me that for this particular model the licensing is on "trust" basis where you buy license and do not install it on the actual router - similar to what 7200 used to do.
View 1 Replies
View Related
Aug 30, 2011
We recently purchased a Cisco ASR1002 router with four on-board Gigabit SFP-style Ethernet ports. However, when I do a "show ip interface brief", I see that there's an extra Gigabit Ethernet port. See the last interface in the following output:
ASR_1002_router#sh ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES manual down down
[Code].....
On the router itself, in addition to the four Ethernet SFP ports, there are four additional RJ-45 ports. They're labeled "BITS", "MGMT", "CON", and "AUX". I know what the Con and Aux ports are, but what are the Bits and Mgmt ports? And is one of them the Gigabit Ethernet interface that I see listed at the bottom of the output? And if it is, is there anything special about it, or is it just another routed Ethernet port? Can I do something special with it, like out-of-line managment?
View 1 Replies
View Related
Jun 13, 2013
We are testing an ASR1002-X which acts as LNS for L2TP tunnels.
- All tunnels are UP (sh vpdn all return list of tunnels)
- VirtualAccess interfaces are UP
- C routes are added in routing table
but ping remote IPs don't work !
LNS1# sh ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
[Code].....
View 1 Replies
View Related
