Me to a 2951 router with fireawall featureset. Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to be typed in bur when i look at the ACL afterwards they are not what i typed in.
View 2 RepliesI need to redo the configuration on the new one?
View 11 Replies View RelatedI need to move from ASA 8.4(1) to 9.0(2). Reading [URL] it seems to be a quite safe upgrade cause I do not have IPv6 ACL and I have only IKE v1. The following is not very understandable to me,No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
#
–Unified Communications
#
–VPN
#
You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security. Reading [URL] under 'Limitations and Restrictions' I find this point moving to 8.4(2), which I also dont understand,Currently in 8.4(2) and later, the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT. For example, if you enter the following twice NAT command that configures a PAT pool (object2) for fallback when the addresses in object1 are used up, you see the following error message:
hostname(config)# nat (inside,outside) source dynamic any object1 pat-pool object2
interface round-robin
ERROR: Same mapped parameter cannot be used to do both NAT and PAT.
ERROR: NAT pool allocation failed.
You can alter this command to make it PAT-pool only by removing object1; the PAT pool is used as the primary method, instead of as a fallback method:
hostname(config)# nat (inside,outside) source dynamic any pat-pool object2 interface
round-robin
(CSCtq20634)
Is there any other point I need to consider moving from ASA 8.4(1) to 9.0(2)?
Is a protocol inspection or something like it that allow MSDTC flows avoiding to open a backward rule will all ports?
I have for FTP and other protocols as ICMP too but MSDTC ?
I have a customer moving from a 5505 to a 5510. They are currently running websense express, which monitors and filters traffic based off of a port mirror on the ASA. Can this function still be performed on the ASA5510? If so, I am having trouble figuring out the method.
View 6 Replies View RelatedI am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.
I need your opinion regarding moving of IDSM -2 and FWSM Module from 7613 to 6513 chassis.Currently these two modules are in 7613 and we are not using either of them now we have to configure them in 6513 chassis. As you can see from the figure that traffic of all 3 core router i.e 7613 go to 6513 - to proxy ISA 2004 - 6513 - to Internet.
There are also some network attached with 6513 and we want to move both of modules to 6513 so that NetworkA/B/C/D/E which are attached to 6513 can also be configured for FWSM and IDSM -2.
I have a query regarding this migration:Do we need license for these two modules again for 6513 chassis?
I recently installed a 2951 with a security plus license..I hate it (security featuers not router) and would like to put the asa back in place.how to integrate the asa with the 2951, I believe I need to run it in multi context mode.
View 3 Replies View RelatedI've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...
I have an Pix 515E firewall with Pix724-33.bin IOS. I just want to know that does this IOS support SNMPV3 or I will have to upgarde it with some other version.
View 1 Replies View RelatedIve got a problem with passing traffic through a Cisco 515e firewall.im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x? ive configured a group called infrastructure and added the 10.x.x.x addresses.ive configured acl 101 inbound on the outside interface:
access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
theres a route to the inside net:
inside 172.16.0.0 255.255.0.0 172.16.163.1
and theres a translation:
static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255
when i try and connect, using a packet capture I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok. access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1)
firewall transparent
names
!
interface Ethernet0
[Code]....
I have a Cisco 2951 Router on which I configured routes for Zone-Based Firewall. I have a FTP server inside my network and I have allowed hosts from the internet to connect to it through the router. They, are however not able to connect or they are connecting but they cannot transfer files. I checked the logs on the router and the error message is as follows:
%FW-6-DROP_PKT: Dropping tcp session xx.xx.xx.xx:21 xx.xx.xx.xx:21766 on zone-pair ccp-zp-out-in class FTPInbound due to Invalid Seq# with ip ident 0
What is the best way to deploy the IOS firewall feature?I have a Cisco 1841 router running 12.4.
View 4 Replies View RelatedI have Pix firewall 515e on inside interface its has configured with IP 192.168.0.254.And Global Nating is configured.
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
I want i configured Global nating only for only specific IP address E.g 192.168.0.0-192.168.0.30 and 192.168.0.200-192.168.0.254?How i do this?
I have the following network.2 WAN links termination on my PIX 515e and all internal users connected to third interface.
Problem I am facing is that I have assign manual IP to users with some have full access to Internet while others have limited.
The users are changing their IP address while others are offline and I want to restrict them.
The only way I can think off is by binding IP to MAC as e.g ( Active wall software). But can it be done on PIX 515e and if so how?
I have erased the Cisco image from my PIX 515E, and while i tried to load a new image its asking for activation key. I tried its old key. but no use.
View 1 Replies View RelatedI have a PIX 515 Ewhich does authentication for SSH via RADIUS protocol and fails over to the local database if radius server goes offline. But when the radius server comes back online, authentication still takes place through LOCAL and not the radius server. Following are the commands:
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
[Code].....
\I just configure my PIX 515E with version 7.0(4) and having problems to get traffic out on eth0 (if name outside). There is no problems between different VLAN ,all VLANs are configure on eth1. It is also possible to accass services on VLAN 10 (DMZ) from outside. The only thing I see in syslog is "Built Outbound" and "Teardown".
View 11 Replies View RelatedI have a Pix 515E running PixOS version 8.0.4 with two interfaces, inside and outside.On the inside interface, I have a Redhat Enterprise Linux 5.4 64 bits machine as an NFS server version 4 (NFSv4).On the outside interface, I have three (3) Redhat Enterprise Linux 5.4 64 bits as NFS clients.I am looking for the exact UDP and TCP ports to be added to the ACL in order to accomplish
View 1 Replies View RelatedI need ot upgrade a Cisco PIX 515 E to A Cisco ASA (not sure what type and modle yet!). the PIX currently has about 80 lines of ACLs and no VPNs. So only inside and outside interfaces and 80 lines of ACLs to be transferred over to the ASA.I was wondering if the ACLs can be transferred over to ASA as is?is there anything that I need ot watch for?
View 1 Replies View RelatedI have an issue in the Cisco PIx 515e series. The IOS is 6.1(2).I have set sepecific access-list to allow incoming traffic to inside interface. But still the TCP 3-way handshaking is dropped here. [code]
View 6 Replies View RelatedWhat would be the access-list entry to allow protocol 97? I am setting up foreign-anchor controller and need to allow protocol 97.
View 1 Replies View RelatedI'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.
My Second Query
I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:Traffic from these sub-interfaces should be NATTed to outside interface when going to internetBut, intra sub-interface traffic should be allowed without NAT'ing. I'm using RFC1918 on both sides i.e. source / destination The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.
I have upgraded ASA5550 version from 7.2(4) to 8.4(2).
On version 7, I am used to "names" command, like this:
names
name 107.25.1.10 Picard
name 107.25.2.20 Administrativa
By addition, when configuring acls it was very usefull, for example:
access-list inside_access_out line 15 extended permit udp host Picard host 107.25.4.61 eq snmp
On version 8, I have verified that names replacement is no more available:
ASA(config)# access-list outside_access_in permit ip host ?
configure mode commands/options:
A.B.C.D Source host IP address
We just switched over from a T1 line to 50/4 Mbps cable Internet. The speed was fine with the T1, but when we switched over to cable, the download speeds didn't increase. I'm getting 2-3 Mbps up and still only 1.5 Mbps down. I inherited this network a few years ago, so I didn't configure the Pix initially but I have been managing it and can't find a setting limiting the bandwidth for the liffe of me. I know it's not the Internet because when I connect a computer straight to the modem, the speed is great. As soon as I put it through the Pix though, it slows way down.
View 8 Replies View RelatedI'm trying to use port redirection to allow outside access to a internal web server. As far as I can see, everything is configured properly. The Open Port Checker tool from yougotsingle.com says that the port (80) is open. However when I goto access it the connection times out. The external address is static from my ISP, and I will call it xxx.xxx.xxx.xxx. The server is at 10.1.1.20, and is functioning properly over the LAN.
View 7 Replies View RelatedI have Cisco PIX 515E for my Lab and can't recover the password. It is not connected to the network. I have configured server, address, gateway from the monitor mode and tftp not seeing my laptop. best way to reset or recover password.
View 7 Replies View RelatedI've been struggling to get ASDM (PDM) installed and running on my PIX 515e. The PIX IOS version is 7.2.4(30) The ASDM version I've copied to flash is 524.
I've followed the Cisco documentation verbatim, however I still cannot connect via the Java ASDM client or via http. When I try to connect via http, my PIX shows the following error: "tcp access denied by acl from..." I do not this this is a security (ACL) issue as I've tested after opening everything up and still no luck.
Here's my running config (w/ the relevant statements prepended with ">>>"):
show run
: Saved
:
[Code]....
I have the following Pix 515E Firewall, that has been working good for a few years. But suddenly, the Pix stop booting up. The only thing that is happening is the power and network traffic led flashes and the active led is off. So my question is that is this symptom a hardware or software problem and is it fixable with either new parts; or is my firewall dead. I suspect that it is a hardware problem since the active led doesn't light up. I cann't even enter the ROM Moniter mode.
View 7 Replies View RelatedWhat would be the command to clear the df-bit on a PIX-515e running 6.3? I have tried the following:
conf t crypto ipsec df-bit clear-df inside and it doesn't take it.
I am facing high CPU util on my pix 515 E which is in failover mode.During peak hours the util is see rising to 60% where as in off peak hours it is normally12%.
During normal operation the average utilisation was observed to be 30% but suddenly from 2/3 days it is constantly 60% doule the value as earlier. Have gone through the logs and traffic but not able to tarce anything particular
below is the o/p of some command taken for analysis
IOS version 8.0(4)
sh cpu usage
CPU utilization for 5 seconds = 51%; 1 minute: 61%; 5 minutes: 58%
sh cpu usage
[Code]......
I need to create a DMZ zone in my network. One server need to be put in DMZ. I have a PIX 515E 6.3.3. It has free port to create DMZ.
1) Put a new switch for DMZ zone
2) Connect it to the DMZ port
3) Create a NAT for inside to DMZ with same IP as inside
4) Create ACL for permiting traffic to DMZ and apply it to outside interface
5) Create ACl for permitting traffic from DMZ to inside
6) Routing for DMZ in PIX