|
brent78 posted:I have a pair of ASA 5520's protecting a cluster of around 40 servers. I want to create a class-map that will rate limit SSH and FTP connections by source IP to 5 per minute to cut down on dictionary attacks and the like. Can someone help be find the configuration I'm looking for? Not sure that is possible. Best way I can think to do something like that is to use auth proxy. For FTP the ASA can do inline authentication. However we don't do inline for SSH, IIRC. Do these need to be publicly accessible? If its only employees that need access just force them to connect to VPN first.
|
#
¿
Dec 28, 2007 20:44
|
|
|
|
| # ¿ May 15, 2024 18:02 |
|
|
Ratmtattat posted:I have a question. Has anybody had experience with Cisco's Clean Access stuff? I'm having an issue with laptops right now and was told that there is a client that will automatically connect with credentials to an access point upon startup, but nobody is helpful and will tell me what it is or where to get it. Has anybody heard of this or knows what it is? http://cisco.com/en/US/products/ps6128/index.html HW that is unauthenticated is put in an untrusted VLAN. Once the supplicant auths then the client is moved to your trusted VLAN and they have full connectivity. There is more to it than that, but I don't really know enough to get into specifics. Its pretty popular (especially with education).
|
|
#
¿
Jan 8, 2008 21:34
|
|
|
InferiorWang posted:I might be mistaken, but you don't need the contract for a CCO login. However, it's really just a guest login and you need the various support contracts to unlock parts of the site. Correct. InferiorWang posted:Off that topic, does anyone have any thoughts or opinions on the ASA 5510, specifically how it might stack up against PfSense? Right now I have a carped/pfsync pfsense setup with two PCs. It seems to work well, but the marketing speak for the ASA talks about Application Inspection, voice protection, VLAN capabilities, and of course VPN duties. None of those are supported by pfsense as far as I know. We have roughly 900 workstations and 30 servers. The biggest drawback I see is that I'm losing the redundancy I have right now. I work for Cisco. ASA is a good box. You can have redundancy, you'll just need to buy two of them. The marketing stuff will tell you we do sub-second failover. In most cases this is correct. I do a lot of work on these guys so if you have questions fire away, I'll do my best to answer. Tremblay fucked around with this message at 20:27 on Jan 11, 2008 |
|
#
¿
Jan 11, 2008 20:25
|
|
|
CrazyLittle posted:I've got a 2801 router with a VWIC-2MFT-T1, two WIC-1DSU-T1-V2 cards, and a WIC-1ADSL card in it. For some reason it won't let me configure the t1 controller on the vwic. Every time I try to assign the timeslots it gives me this error: You can't use Slot0 for non-voice cards. http://www.cisco.com/en/US/docs/routers/access/2800/hardware/installation/guide/01_hw.html#wp1095473
|
|
#
¿
Feb 18, 2008 00:37
|
|
|
Spazz posted:Is there a way to configure a router, switch, etc. to push the logs to an external server? Or some sort of external log configuration for advanced debugging? Google syslog.
|
|
#
¿
Feb 20, 2008 07:00
|
|
|
jbusbysack posted:I am experiencing an issue where any RADIUS authentication calls that run through an ASA 5520 are coming back as false negatives. The device queries the RADIUS server, gets an affirmative response back (confirmed on the IAS server), yet states authentication denied. This is consistent across platforms and models. Is there something in the ASA itself that I am missing? This only is causing problems for devices that run through the firewall, anything that lives on the switches are fine. It sounds like you have a static that overlaps with a dynamic PAT policy. If that is the case then all bets are off.
|
|
#
¿
Mar 4, 2008 23:40
|
|
|
M@ posted:There is no output VS-S720-10G-3C you have to run 12.2.18SXH or SXH1. SXF doesn't have support for the HW (that I can see). Since the other CCIE was going to get 1.5 arms, can I get just a finger? (goon discount) Make sure you pick CAT6000-VS-S720-10G/MSFC3 as the HW on the IOS upgrade planner.
|
|
#
¿
Mar 14, 2008 22:27
|
|
|
M@ posted:Well, the issue really is that the card won't even light up. We've tried it in our 6509-E and 6509 so far and no dice. Are you sure the HW is good? No rommon output + the hot SUP not being able to see discover the cards MAC leads me to believe its toast. Sorry, when you guys were talking code I thought you were talking about the 10GE not the vanilla 720.
|
|
#
¿
Mar 15, 2008 00:09
|
|
|
M@ posted:That was my thought as well. The only other thing I can possibly think of is that it doesn't have enough power. Cisco says minimum required is 1 2500W, but I read something on their site about 4000W that now I cannot find. Fairly sure the card is toast. Going home to drink now. 2500W should be fine. A redundant pair would suck down ~826 Watts. Happy drinking.
|
|
#
¿
Mar 15, 2008 01:59
|
|
|
permanoob posted:Basic and simple PIX question, I'm just pretty new to this. NAT+Global statements are for dynamic NAT/PAT. They cannot be used to allow a host from a lower sec level to a higher sec level. What you need are static NATs/PATs. For instance if your interfaces were called Outside, and Inside. You have a webserver at 192.168.1.50 that you want to be accessible via the internet. The public IP you want to use is 1.1.1.1 you would do the following: static (inside,outside) tcp 1.1.1.1 80 192.168.1.50 80 To map just port 80 from the internal IP to the external. You could do this: static (inside,outside) 1.1.1.1 192.168.1.50 Which would map all ports/IP carried protocols. Make sure you add a permit to your outside access-list to permit hosts to hit the external IP. More here: http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/mngacl.html#wp1069973
|
|
#
¿
Mar 19, 2008 22:27
|
|
|
permanoob posted:Alright, I see what you're saying with static routes to pass port specific types of traffic from the outside ip to an inside ip. Yup it can, check out that link I posted. Also those commands are static PAT and static NAT respectively. They are not routes.
|
|
#
¿
Mar 20, 2008 00:39
|
|
|
jwh posted:I believe this will cause the router to arp for every non-local destination, and will require something else to be running proxy-arp (ie., cable CMTS) to function correctly. In other words, bad news. correct and correct. We ask people that arp question in interviews. Its depressing how few figure it out.
|
|
#
¿
Mar 24, 2008 20:19
|
|
|
permanoob posted:Yeah, I know the device doesn't route. Yeah, I used the word routes. You are permitting access to private IP addresses on the outside interface. access-list 101 permit tcp any host psdc eq ftp access-list 101 permit tcp any host psdc eq 1433 access-list 101 permit udp any host psdc eq 1434 static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0 You need to be doing this: access-list 101 permit tcp any host 204.228.142.235 eq ftp access-list 101 permit tcp any host 204.228.142.235 eq 1433 access-list 101 permit udp any host 204.228.142.235 eq 1434 static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0 Remember where you are assigning the ACL and what direction its applied in  .
Tremblay fucked around with this message at 01:58 on Mar 26, 2008 |
|
#
¿
Mar 26, 2008 01:55
|
|
|
XMalaclypseX posted:On a ASA 5505, how can you make anything from the outside interface ping anything on the inside interface without doing a 1-to-1 nat rule for each host? Traffic from a lower security interface requires: static NAT Permits in the low security interface's ACL For ICMP also toss in "inspect icmp" Think about it, how could it possibly work without using statics?
|
|
#
¿
Apr 11, 2008 18:51
|
|
|
XMalaclypseX posted:Just wondering if it could be made to work like a regular router. I'm new to Cisco stuff. Even on a regular router doing PAT what you've said wouldn't work.
|
|
#
¿
Apr 11, 2008 21:50
|
|
|
jbusbysack posted:With same-security-traffic permit inter-interface and/or same-security-traffic permit intra-interface you can. Otherwise no. ^ What he said. No way in PIX 6 and earlier, but 7+ it works.
|
|
#
¿
Apr 12, 2008 00:05
|
|
|
permanoob posted:I'm having some issues getting SQL connections through my PIX. I'm running 6.3(5) and here's what my acl setup looks like: Is there a static NAT or PAT statement for the inside SQL box?
|
|
#
¿
Jun 13, 2008 18:00
|
|
|
XakEp posted:gaaaaah. finally got into the darn IDS, but now I keep getting an error. Error: No active virtual sensor. wtf - i cant find anything on working this problem anywhere for v4.1. to make this even more annoying i cant access the command/control interface over the network. wont ping a thing. ugh. 4.1? Holy crap old. You will not be able to reach the box until you run setup. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/index.htm IP addresses are entered as x.x.x.x/mask_bits Also pay attention to the ACL section of setup, most people blow through that while doing everything else right.
|
|
#
¿
Jun 25, 2008 01:31
|
|
|
Syano posted:Doing a bit of research on Cisco's site it appears one of the sell up features of the add in IPS sensor for the ISR routers is it has a "complete" IPS signature set. Is it really that much different from the built in IPS on say the 1841? Yes, and with AIM-IPS you get hardware acceleration. I don't know how much traffic you are pushing so I can't really comment as to what is appropriate. Give presales a call?
|
|
#
¿
Jul 29, 2008 18:00
|
|
|
ior posted:IŽd say memory leak. This is much more likely then filling the NAT table to the gills. I've been running ASAs of various HW/SW combination at home for 2 years and haven't had issues with torrents. There could be other issues, like threat-detection shunning hosts due to packet rate (if you are on 8 code). We need a little more to go on here...
|
|
#
¿
Jan 5, 2009 20:32
|
|
|
Syano posted:I got excited until I looked around for a win32 version. Im not scared of some *nix I just have almost zero skillset there. Its really not that bad, promise.
|
|
#
¿
Jan 15, 2009 02:26
|
|
|
wolrah posted:I'm throwing an 1841 I have laying around in to my home network for a while so I can become more familiar with IOS and so I can test T1 gear at home. I know how to get it going with NAT and set up the port forwards I need, but I can't seem to find good information on what if any VoIP helper features it may have. NAT/PAT engine in IOS is SIP aware, so you shouldn't have any issues.
|
|
#
¿
Jan 18, 2009 01:36
|
|
|
gwon posted:I started another thread and got pointed here Not sure if you are talking WAAS appliance or one of the other variants. I'd start with the design guide: http://www.cisco.com/en/US/products/ps6474/products_implementation_design_guides_list.html I know how it works for the most part but haven't had the chance to mess with it much. Sorry  .
|
|
#
¿
Feb 26, 2009 02:10
|
|
|
ragzilla posted:The market dropped out on the sup2/msfc2 combo since it can't take full tables anymore unless you strip out some /24s or filter on RIR minimums, everyone who takes full tables on sup2/sup32 had to upgrade to the RSP/SUP720 with XL *FCs to continue taking full tables. The market has dropped out on Sup2 because the things are end of life. SXF is going away soon too. So pretty soon you'll have no SW support. Gray market vendors are trying to shove that poo poo out the door since they don't want to be stuck with them. https://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd800fd91f.html http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/eol_c51-500212.html http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd80646c9c.html edit: added links to EoL announcements Tremblay fucked around with this message at 03:51 on Mar 13, 2009 |
|
#
¿
Mar 13, 2009 03:43
|
|
|
jwh posted:Who has an ACS appliance handy? I'm trying to figure out if they normally report 100% CPU utilization. Not normal.
|
|
#
¿
Mar 18, 2009 17:50
|
|
|
jwh posted:I'm not sure that it does. Seconding this. Its just as bad on this side of the fence.
|
|
#
¿
Mar 19, 2009 18:20
|
|
|
Begby posted:Ahh, this is what the tech mentioned. Something about how if the cable modem went down, the cisco would not actually see it go down since the connection would still be there to the router. So track on the cable modem's default gateway. Once that IP stops responding to probes the ASA will flip routes. It doesn't have to be a directly connected host iirc.
|
|
#
¿
Apr 15, 2009 17:41
|
|
|
Studebaker Hawk posted:does anyone have experience with the client less RDP plugin for the ASA? Does it really not have a full screen/resizable screen option? None of the literature seems to indicate it and I really cannot see how that is possible in the day an age when so many other ssl vpn devices offer that functionality (at least the juniper and sonicwall devices that I am more familiar with) Screen size is set inline with the RDP url. So to make the screen 800x600: rdp://192.168.50.5/?geometry=800x600 Fullscreen: rdp://192.168.50.5/?fullscreen=true (i think) If you click on the help link from the clientless portal you can see all the options that are available. The RDP client isn't written by Cisco. Its an open source project that we redistribute. http://properjavardp.sourceforge.net/
|
|
#
¿
Apr 24, 2009 16:48
|
|
|
jwh posted:I should point out that that is different than the way Juniper does RDP on their IVE boxes, in that IVE based RDP simply calls the machines native mstsc.exe and directs it towards a local socket that is proxied through the SSL tunnel. That RDP plugin is for for use with WebVPN, which is a portal thingie that can be customized. There is SSL VPN via AnyConnect which behaves like IPSEC RA. I haven't played with the Juniper solution, but I'm surprised they went that route. I know the client that we are distributing works pretty drat well under Windows, MacOS and Linux as its all Java. *shrug
|
|
#
¿
Apr 25, 2009 01:01
|
|
|
CrazyLittle posted:oh god why??? The problem is only with to the box traffic? You don't see the same issue if you ping your router upstream from the PIX right? Assuming that is the case, its a scheduler thing. To the box traffic is handled at a lower priority then to the box traffic (IPSEC excluded).
|
|
#
¿
Apr 25, 2009 01:03
|
|
|
Richard Noggin posted:Argh. Nobody at Cisco seems to be able to answer this simple question. I have a customer that wants an ASA 5505. They'd like to be able to have VPN access through a software client. They don't want to spend the extra money for the SSL VPN license, but Cisco's site states My read is 55x0 + SmartNET = free IPSEC client 5505 + SmartNET = no Your reseller or SE/AM should be able to clarify that/hook you up. Edit: I don't see any mention on the ordering guides about the IPSEC client. There should be a presales phone line on cisco.com. Give that ring and see what they say. Tremblay fucked around with this message at 18:58 on May 14, 2009 |
|
#
¿
May 14, 2009 18:48
|
|
|
StabbinHobo posted:yep, fresh out of the box. I think you have it, SOL. Go to staples and buy one. When yours comes in just return it.
|
|
#
¿
May 19, 2009 16:53
|
|
|
Sojourner posted:Here's one that's stumped the guys at the office for a bit: about 5 or 6 of our switches, older ones (3524s) are no longer accessible via telnet. If you telnet to them you are prompted by a greeting that says Thirding. Catalyst switches are NOT i686 arch.
|
|
#
¿
Jun 3, 2009 20:17
|
|
|
Herv posted:Another MAC Hunt. Its like Duck Hunt, but less fun. And there isn't an annoying dog to shoot at.
|
|
#
¿
Jun 3, 2009 21:11
|
|
on the card is a Broadcomm, Intel, or maybe 3com.
|
the nicker posted:I need some help with a NAT scenario that's a bit different than what I'm used to dealing with. I'll use this simplified GNS3 scenario since the solution here will transfer to my real-world scenario. So you are trying to do a destination static nat?
|
|
#
¿
Jun 4, 2009 18:18
|
|
|
ragzilla posted:Eh, not always. Thats most likely because your acct team was feeling nice.
|
|
#
¿
Jun 5, 2009 05:18
|
|
|
Weissbier posted:Has anyone had success with the cisco anyconnect client? I don't know what I'm missing. We have an ASA 5540 running ASA 8.2(1)/ASDM 6.2(1) I take it this isn't in production? If it isn't enable buffered logging. Increase the buffer size, and set it to debug level. That's the best place to start. If you type "show asp table socket" do you see an entry like *:443?
|
|
#
¿
Jun 12, 2009 05:16
|
|
|
tortilla_chip posted:Is the PIX actually performing any NAT/PAT operations? If not, try "xlate-bypass" This doesn't exist in PIX 6.X and prior. Goochy, can you PM me a show tech when its slow?
|
|
#
¿
Jun 16, 2009 00:23
|
|
|
Powercrazy posted:I'd say use SFTP. SCP is a very old protocol and just guessing here, probably has a problem with files that are above a certain size say 48megs. I know that if I tried to use TFTP to upload images to a 3800 or below router it wasn't a problem, but if I tried the same thing with a 6500 or 7600 the transfer would timeout. It could be an SCP bug in the version of code he's running.
|
|
#
¿
Jun 18, 2009 16:58
|
|
|
|
| # ¿ May 15, 2024 18:02 |
|
|
The switch is always going to use the same line termination. How is Rancid pulling this? SSH?
|
|
#
¿
Jul 27, 2009 20:23
|
|