Adding devices behind firewall

Similar Messages

• Devices Behind Firewall ACS 4.0 Local

  All,
  I just read a post labeled "ACS 4.0 Behind Firewall" and it talked about opening ports 2004 to 5000 to access the ACS server that is behind the firewall. My question is does this same port range apply if you are trying to access and authenticate to a device that is behind a firewall. When I try to access one of my devices that is behind the firewall I can't authenticate through the ACS box so I end up using the local username and password. Can anyone tell me what ports I have to open on the firewall to allow the authetication to go back to the ACS server. Thanks

  Hi,
  TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
  For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
  Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
  Hope this helps.
  Rgds,
  AK

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Wireless printing behind firewall

  Greetings. Since upgrading to 10.5, I am no longer able to wirelessly print behind firewall unless I check "set access for specific services and applications" under system preferences/security/firewall (on computer allowing printer sharing). I would think that I could print after checking "allow only essential services," since printer sharing is on, and this shows in the list of "specific services" allowed. I was hoping that this would be solved after upgrading to 10.5.3, but it is not.
  This applies to all connected USB printers. Router is a Lyksys WRT54GS.
  Although probably unnecessary, I would prefer to use the more secure firewall setting ( "allow only essential services"). Any ideas would be appreciated.

  You need to have the right equipment. You have to put ISP equipment on the DMZ. What you need is an access point that resides on your inside internal network. This AP will associate clients and would place these clients on your internal network. Then you would configure your infrastructure to route the traffic how you wish. The reason you can't do what you want is that an ISP wifi router only has one route it knows..... That is what it knows from the wan port. So all traffic leaves the wan port via the ISP default gateway.
  Posted from my mobile device.

• Putting Identity Server behind firewall

  Hi All,
  I have an application running on SunONE app server 7 with agent in order to control authentication and authorization. I would like to put the identity server behind firewall. However, everytime when the agent redirect to identity server to perform login, it redirects directly which user can't access the login page. May I know how can I put the Identity server behind firewall? Must I use web proxy server instead? Any other solution? Thx a lot.
  \Tobey

  Hi, this is Tobey again. I have installed Identity Server 6.1 and a web proxy server 3.6 in front of the Identity Server.
  The web proxy server succeed in reverse proxying all usual applications. However, when I try accessing amconsole through proxy server, the console service always re-direct me to Identity Server host directly. And my client browser is not allow to resolve that hostname.
  What I have configured is setting regular and reverse url mapping in Web proxy server. In Identity server, I have set the fqdn mapping, dns alias, adding one more in server list and cookies domain.
  Any one had experience on putting Identity Server behind firewall? How to solve the hostname problem that redirected by Identity Server service? Thx a lot.
  \Tobey

• RMI Clients behind firewall

  When the RMI client behind firewall tries to access the server the following error is thrown up:
  java.rmi.ConnectIOException: Exception creating connection to: 10.130.12.128; ne
  sted exception is:
  java.net.NoRouteToHostException: Operation timed out: no further informa
  tion
  java.net.NoRouteToHostException: Operation timed out: no further information
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(Unknown Source)
  at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
  at java.net.PlainSocketImpl.connect(Unknown Source)
  at java.net.Socket.<init>(Unknown Source)
  at java.net.Socket.<init>(Unknown Source)
  at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(Unknown S
  ource)
  at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Unknown S
  ource)
  at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
  at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
  at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
  at sun.rmi.server.UnicastRef.invoke(Unknown Source)
  at RMIFaxServer_Stub.getResult(Unknown Source)
  at FaxTest.main(FaxTest.java:51)

  your client is behind the firewall but the server you're trying to access has an address 10.x.x.x which says that it too is behind a firewall and not on the Internet, or is the server in a DMZ. It sounds more like a networking issue than a java problem at this point. If the server is on some side of a firewall, you may need a some sort of "permit established" config setting added to the firewall. Just a thought.

• PAT with a single public IP and several servers behind firewall

  Hi,
  New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
  Single static public IP:  16.2.3.4
  Need to PAT several ports to three separate servers behind firewall
  One server houses email, pptp server, ftp server and web services: 10.1.20.91
  One server houses drac management (port 445): 10.1.20.92
  One server is the IP phone server using a range of ports: 10.1.20.156
  Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. 
  Here is what I have.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
  ASA Version 8.4(4)1
  hostname kaa-pix
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.20.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 16.2.3.4 255.255.255.0
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network server_smtp
  host 10.1.20.91
  object service Port_25
  service tcp source eq smtp
  object service Port_3389
  service tcp source eq 3389
  object service Port_1723
  service tcp source eq pptp
  object service Port_21
  service tcp source eq ftp
  object service Port_443
  service tcp source eq https
  object service Port_444
  service tcp source eq 444
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit icmp any any echo-reply
  access-list acl-out extended permit icmp any any
  access-list acl-out extended permit tcp any interface outside eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq smtp
  access-list acl-out extended permit tcp any object server_smtp eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq 3389
  access-list acl-out extended permit tcp any object server_smtp eq ftp
  access-list acl-out extended permit tcp any object server_smtp eq https
  access-list acl-out extended permit tcp any object server_smtp eq 444
  access-list acl-out extended permit tcp any object drac eq 445
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static server_smtp interface service Port_25 Port_25
  nat (inside,outside) source static server_smtp interface service Port_3389 Port_
  3389
  nat (inside,outside) source static server_smtp interface service Port_1723 Port_
  1723
  nat (inside,outside) source static server_smtp interface service Port_21 Port_21
  nat (inside,outside) source static server_smtp interface service Port_443 Port_4
  43
  nat (inside,outside) source static server_smtp interface service Port_444 Port_4
  44
  nat (inside,outside) source static drac interface service Port_445 Port_445
  object network obj_any
  nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous

  Thanks Lcambron...I got PPTP to work.  Everything else works fine.  I can access email, access my web server, FTP server, and PPTP server.  However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445.  So I have th following lines:
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit tcp any object drac eq 445
  nat (inside,outside) source static drac interface service Port_445 Port_445
  Am I missing something here?  Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening.  However, externally, i cannot telnet to my external ip address of the ASA through port 445. 
  Thanks

• Multiple Public IP's on one physical interface for devices behind Router.

  Hi guys, I am trying to find information on applying multiple IP addresses to a router
  basically one for the Router itself and then some for the devices behind the router, Which i am sure I need to apply some 1 to 1 NATs. I just do not know if i need to specify all the IP addresses on the main interface.
  Example being I have a router with WAN ip of xxx.xxx.xxx.xxx/25 , it only has 2 interface one for WAN one for LAN, i have a server I would like assigned its own public IP address.  but still on the same LAN network.
  Could someone help me out and point me in the right direction with a sample config

  I agree with the previous response that you need a static NAT to allow outside resources to initiate traffic to your server. You also will need NAT or PAT using the router interface address to allow the other hosts in your network to access outside.
  You do not need to configure any other of the addresses on the router interface other than the primary IP that you assign to the router interface. As long as the other addresses are used for NAT/PAT they are configured in the nat statements and not on the physical interface.
  HTH
  Rick

• Issue with Adobe flex data.xml file not reachable from bsp behind firewall

  Hi Gurus,
  I have a problem with the <mx:HTTPService> tag the following is the actual tag,
  <mx:HTTPService
  id="Srv"
  url="data.xml"
  useProxy="false"
  method="POST" result="resultHandler(event)"/>
  When accessed locally I can see the data in the flex as the data.xml can be reached. when the same is accessed from internet behind firewall, the url is entirely different and the .swf file in the BSP page cannot access the data.xml. I cannot give the absolute url in the tag as the BSP page application is accessed differently in different servers. any help on this would be greatly appreciated
  Thanks
  Akbar

  Sorry somehow I missed this question, an even easier way to do this is to allow your Flash movie to "script" ( this is the default behavior for a Flex application ) and then call some javascript to obtain exactly what the page URL is and then go from there to get your data:
  import flash.external.ExternalInterface;
  import mx.utils.URLUtil;
  var
  if(ExternalInterface.available){
       pageURL = ExternalInterface.call("window.location.href.toString");
  // Do whatever you need with the URL here.
       var serverName:String = URLUtil.getServerNameWithPort(pageURL);
  -d

• ITunes Ver 10.6 Radio will not play behind firewall

  iTunes Ver 10.6 Radio will not play behind firewall while version 10.5 works just fine.
  I uninstalled and reinstalled a fresh version of 10.6 rather than just upgrading and still not working.
  Our Firewall is BlueCoat....
  Works just fine outside the firewall..
  Anyone have any suggestions?
  Thanks in Advance
  david

  Update:
  I also noticed that version 10.5 doesn't prompt for Proxy credentials while version 10.6 does...
  thanks in advance
  d

• SMTP behind Firewall

  We have a sever behind firewall, the SMTP ports are opened on firewall. When the application tries to send mail using java mail API, I get the following error. Anything worng with firewall (or) mail api ?
  javax.mail.SendFailedException: Sending failed;
  nested exception is:
  javax.mail.MessagingException: 530 5.7.3 Client was not authenticated
  at javax.mail.Transport.send0(Transport.java:219)
  at javax.mail.Transport.send(Transport.java:81)

  I think you have made it to the mail server (sounds like exchange). Looks like the server is setup to require authentication on incoming SMTP requests. Look here
  http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20250036.html
  Of course, I could be wrong and your firewall has a custom message for SMTP traffic which isn't coming from a 'authorized' mail server or a authenicating proxy server.

• Has Photoshop CS5 Extended added a "Behind" and "Clear" in MODE drop down box?

  Hi Guys,
  I am not sure what just happened with my PS. Was downloading and installing some custom patterns and brushes from the net last night. And when I went to try them out I noticed the drop down box had 2 new added effects ( Behind and Clear ) which I was not able to even access because they were not live. It is the drop down box which has the normal, dissolve, darken, multiply etc. etc. up on the top left hand bar. I was going to upload a picture but I keep getting a message saying this file is forbidden, even after I scaled the image down to the required fields. I was wondering if some one can help. I hope it wasn't a virus from the internet files I downloaded.
  Many thanks, Grace.

  They are brush blend modes.  To use you need to have the brush tool selected.  Open a new layer and paint with any colour.  Chose another colour and make the blend mode Behind.  I bet you know what will happen now? ;-)
  Clear works pretty much the same as the Eraser tool as far as I can tell.  Might need to actually read the manual to get more info on that.

• Unable to view list of added devices in LMS

  Dear All ,
       Iam working on Cisco LMS 3.2.1.Everything was working fine before but since last 2-3 days we are unable to view the list of added devices under device management tab.We are able to see the added groups only.Because of this issue we are unable to get the logs from the added devices.
  Can anybody help in resolving this issue.....???
  Regards ,
  Divya A M

  We tried the suggested steps and could successfully reset the Casuser Password.But couldnot perform unregistering and registering Apache service.We ended up getting the following errors.
  1.)
  C:\Documents and Settings\Administrator>pdreg -u Apache(no output)
  2.)
  E:\lms\MDC\Apache\bin>pdreg -r Apache -epdcmd: option requires an argument -- eERROR: no such command, or option error.Usage:    pdcmd options...Where -b msg    broadcast message to all daemons -k daemon    kill daemon -K    stop system -H    start system -l    list daemon registry -R daemon    start daemon -i daemon    show daemon status briefly -I    show all daemons status briefly -s daemon    show daemon status -S    show all daemons status -G    show daemon statistics -r daemon -e path -d depends -f arguments [-w ] [-n] [-q] [-t code]    register daemon (-w -- timeout for ready file notification)                    (-n -- no autostart)                    (-q -- no INFO messages)                    (-t {0|p|n} -- expected transient exit code                         where                            0 = expected exit code is 0                            p = expected exit code is >=0                            n = expected exit code is < 0 ) -u daemon [-q]    unregister daemon (-q -- no INFO messages) -v    show version number
  3.)
  E:\lms\MDC\Apache\bin>Apache.exe" -f "-d'Apache.exe" -f "-d' is not recognized as an internal or external command,operable program or batch file.
  4.)
  E:\lms\MDC>Apache -D SSL" -d TomcatMonitor(OS 10048)Only one usage of each socket address (protocol/network address/port)is normally permitted.  : make_sock: could not bind to address 0.0.0.0:443no listening sockets available, shutting downUnable to open logs
  Regards  ,
  Divya

• LMS 3.2 Adding Devices Manually

  Can anyone tell me if I need a seed devices to add devices manually or can I just bypass this portion of the setup since I'm NOT going to be discovering anything with Ciscoworks.(My envoronment is to complex to perform and discovering)  Or do I need a seed device anyhow for functionality of Ciscoworks and other processes?
  Please advaise & thank you in advance,
  Erick

  If you are adding devices manually, there is no need for a seed device. The whole purpose of seed devices is to use it as staging for discovering neighboring devices.
  There is a great document written on the CSDiscovery process in LMS by Joe.
  https://supportforums.cisco.com/docs/DOC-9005

• CiscoWorks: Adding device in CS but it's in pending devices in RME.

  Hi,
  I have fresh installed the LMS 3.2.1 without any errors. Then I am adding device in CS, give it correct credentials. Its appears in RME automatically, but it always remain in Pending devices in RME.
  I have run a job in RME to check the devices credentials and it's appearing that credentials for snmp are wrong but ssh/ telnet appears as "did not try". Although I have added the correct credentials in CS for device, but it appearing as wrong in RME.
  Also when I add device in CS, it's not automatically picking it's device type, until in CS I define its device type manually.
  Please advise a solution for thiss problem.
  Thanks

  This usually indicates that SNMP contact to the devices fails
  I use the CLI tools like \CSCOpx\objects\jt\bin\snmpwalk.exe to check this.
  Cheers,
  Michel