ASA Identity Firewall
Hi,
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.
I have installed the ADAgent on a domain member Win2008 and configured as follows:
aaa-server ADAGENT_SERVER protocol radius
ad-agent-mode
aaa-server ADAGENT_SERVER (VPN) host 172.17.v.x key *****
I have configured the LDAP connection to the DC as follows:
aaa-server DOMAIN_SERVER protocol ldap
aaa-server DOMAIN_SERVER (VPN) host 172.17.v.z
ldap-base-dn DC=YYY,DC=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn vvvvv
server-type microsoft
The identity config is as follows:
user-identity domain YYY aaa-server DOMAIN_SERVER
user-identity default-domain YYY
user-identity action netbios-response-fail remove-user-ip
user-identity logout-probe netbios local-system
user-identity ad-agent aaa-server ADAGENT_SERVER
user-identity user-not-found enable
access-list 122 extended permit ip user YYY\ashdew any any
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.
The ADagent has been properly tested and ASA can register to it.
The ASA can connect to AD DC controller and query user database.
I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity
Do I need to add extra rules in the access-list 122 to permit trafic to DC?
Can I check on the AD Agent if it can retrieve the user to ip mapping ?
Thanks
Ashley
Thanks Karsten,
Great its clear now. I know the DMZ seems a bit odd. Actually, the DMZ is only accessible through the any-connect VPN.
In the DMZ, we will have a citrix farm to access internal resources through identity management.
We are testing with a laptop in the first place.
Now, we have allowed in the acl to access AD, the laptop authenticates in the domain but then all connections are refused since the AD Agent is not retrieving the mapping.
Is there a way to check if the ADAgent is properly retrieved the mapping. We suspect the problem is here.
We did a capture on the ASA and we have found that the ASA contact the ADAgent when the user authenticates but then ADAgent does not return any ip mapping. The ASA sees the user as ip as user-not -found .
Thanks again for your help,
Ashley
Similar Messages
-
Major flaw in Identity Firewall?
Hi!
I have just configured identity firewall on our ASA 5510.
I have 3 nodes that authenticates against Active Directory, using the Windows Server 2008 R2 builtin Network Policy Server:
A laptop, a stationary PC, and a Android Phone. All 3 nodes are authenticated using the same user/password.
Now, in ASDM -> Monitoring -> Properties -> Identity -> Users, I can see two of the nodes with my user name attached to it, namely the laptop and the stationary PC.
But not the Android phone.
Then it dawned on me. To set up the ADAgent properly, you have to apply 2 group policy entries. Unfortunately, those 2 entries are applied to the Computer Configuraton part of the Group Policy!!
This means that your COMPUTER has to be a member of your domain for USER IDENTITY to work.
Err. hello?
So my Android phone and other nodes not a member of the AD Machine Store will never be detected by identity rules, and can roam the network free.
If this isn't a major flaw, I don't know what is.
Unless, of course, there is something I have completely misunderstood.
Please tell me that I have.Hello,
For devices that are not joined to the AD domain, the IDFW feature supports learning username to IP mappings via VPN or cut-through proxy authentication. The configuration guide describes this type of deployment:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_idfw.html#wp1372180
-Mike -
Identity firewall with OpenLDAP ?!
Hi Guys
I am interested to use identity firewall but I am using OpenLDAP , as far as I know there is no OpenLDAP agent like AD Agent!
Does it mean that I only able to use OpenLDAP for VPN authentication and not for identity feature ?
Thanks
EhsanProbably the answer is Yes I guess , ASA identity feature works only with Microsoft Active Directory !!!!
-
Can Identity Firewall work with L2L IPSec
Hello,
One of my customers has requested a L2L IPSec tunnel between a 3rd party ASA5505 and their central office 5510.
The tunnel works fine but they have asked to enable Identity Firewall against the incoming connections in relation to the IPSec tunnel.
I've read about sysopt and vpn filter. So there are 2 choices.
1. Disable access rule bypass for VPN connections via the sysopt command and configure the access rules accordingly.
2. Use the vpn filter mechanism and define the ACL / ACE w/ the Identity Firewall.
This is an excerpt from the Identity Firewall chapter ASA 9.0/ASDM 7.0.
VPN filter—Although VPN does not support identity firewall ACLs in general, you can use configure the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is not subject to access rules. You can force VPN clients to abide by access rules that use an identity firewall ACL (
no sysopt connection permit-vpn
command). You can also use an identity firewall ACL with the VPN filter feature; VPN filter accomplishes a similar effect as allowing access rules in general.
Has anyone attempted and succeeded with such a configuration? If so, did it support AD authentication or LOCAL only?
Thanks in advance for your input.Anyone??
-
Cisco ASA 5505 Firewall Not Allowing Incoming Traffic
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq wwwHey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA. -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
DMZ issues in ASA 5505 Firewall
hi , i have asa 5505 firewall with ASA5505-UL-BUN-K9 license i have problem with DMZ. I am not able to create dmz. please suggest me what i need to do in order to be able to configure dmz. should i need to upgrade the license. please suggest.
Hi,
Is the currently licensed firewall something that you have had for sometime or is it a new purchase?
Just wondering as it would seem unreasonable to just have bought something and then having to get a new license. Just wondering if you can somehow avoid spending extra money if this is a new purchase that wasnt what you were actually looking for.
You can check this link for the differnent options the ASA5505 has
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html
You can also check this link for all the available licensed options on the ASA5505
http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html#wp2124788
This link contains also information on the ASA models
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
So essentially you would get 20 Vlan interfaces instead of 3 and also support for Trunking which would let you use a single physical link for several Vlans (if you wanted that is)
Hope this helps
- Jouni -
Identity firewall NetBIOS Probe problem
Hi,
I've setup an Identity Firewall on a ASA5510 version 8.4.5 (inside interface). ADAgent is installed and configured on an Windows 2003 server and connected to the DC (Windows 2008 server). Everything works fine except the NetBIOS Probe function.
The NetBIOS probe function is active and configured as below.
user-identity domain TEST aaa-server LDAP_Identity
user-identity default-domain TEST
no user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 120
user-identity logout-probe netbios local-system
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent aaa-server adagent
user-identity user-not-found enable
The problem is following message...
"746013 user-identity: Delete IP-User mapping 192.168.3.61 - TEST\Peter Succeeded - Netbios probing failed"
I've never seen an NetBIOS probe successful message
Can anyone help me with this issue?
ThanksHi,
Could you please run some of these debug commands:
debug user-identity user
debug user-identity user-group
debug user-identity ad-agent
debug-user-identity ldap
debug user-identity logout-probe
debug user-identity acl
debug user-identity tmatch
debug user-identity fqdn
debug user-identity process
debug user-identity debug
debug user-identity error
debug ldap 255
Also here is a guide that may provide some direction -
https://supportforums.cisco.com/docs/DOC-20366
Tarik Admani
*Please rate helpful posts* -
IDS,ASA,PIX firewall monitoring and optimizing
Dear All,
Please let me know the products from Cisco to monitor and optimize the IDS, ASA, PIX firewall in the data centre and corporate networking environment.
I believe that VMS 2.3 can be used.I like to know about the CS-MARS product from Cisco and its usage.
Thanking you
SwamyHi,
CS-MARS is a security product that mainly used to analyse, correlates and produce/recommed mitigation action based on the log analysis.
You need to send your syslog, snmp or NetFlow to CS-MARS from all/selected network devices in the network to enable it to have visibility of the network activities. It has built-in signatures or rules that trigger incidents, and allows you can create your own rule to monitor certain segment or devices. Notification is available in the form of email, sms, pager, snmp and syslog.
CS-MARS does not replace the function of IDS/IPS or antivirus, but as a critical security complimentary product to allow you to stop any detected malicious incidents/activities from a nearest point, e.g shutting down switch port where a PC is detected trying to launch network attack, virus or trojans. The concept more or less similar to 'Forward Defense' used by certain country today.
http://www.cisco.com/en/US/partner/products/ps6241/products_data_sheet0900aecd80272e64.html
CS-MARS is measured by its capabilities to handle received Event and Netflow logs per second. This include the HDD capacity. You can have single unit (Local Controller) or multiple unit that centrally managed by Global Controller.
CS-MARS support wide range of networking and security products.
http://www.cisco.com/en/US/partner/products/ps6241/products_device_support_tables_list.html
Rgds,
AK -
ASA 5525 firewall Trace Route.
Hi,
We are Having ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.
ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.
PLease help me to resolve this issue.
Regards,
DheerajHi Dheeraj,
firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
Make the Firewall Show Up in a Traceroute in ASA/PIX
ciscoasa(config)#class-map class-default
ciscoasa(config)#match any
!--- This class-map exists by default.
ciscoasa(config)#policy-map global_policy
!--- This Policy-map exists by default.
ciscoasa(config-pmap)#class class-default
!--- Add another class-map to this policy.
ciscoasa(config-pmap-c)#set connection decrement-ttl
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global
!--- This service-policy exists by default.
WARNING: Policy map global_policy is already configured as a service policy
ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5
!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:
Cheers,
Naveen -
Connectivity Issue between ASA 5520 firewall and Cisco Call Manager
Recently i have installed ASA 5520 firewall, Below is the detail for my network
ASA 5520 inside ip: 10.12.10.2/24
Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
Cisco Call Manager 3825 IP: 10.12.110.2/24
The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
the Default Gateway for Data user is 10.12.10.2/24 and
for the voice users is 10.12.110.2/24
now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
ASA Version 8.2(1)
name x.x.x.x Mobily
interface GigabitEthernet0/0
nameif inside
security-level 99
ip address 10.12.10.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object icmp
service-object udp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More ---> ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 86.51.34.17 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-Users
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end -
Dear All,
I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
Thanks
VijayHi Vijay,
If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you
HTH, -
Hello All,
I am thinking to set up Identity Firewall functionality too for our environment. I had a couple of questions. Is the new version of AD Agent now called CDA (Context Directory Agent)? Also will this support Windows 2012?
AdilHi,
Yes, CDA is the replacement of AD Agent.
Supported Active Directory Versions
The Cisco CDA supports the following Active Directory versions:
•Windows 2003
•Windows 2003R2
•Windows 2008
•Windows 2008 R2
•Windows 2012
http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1059944
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
http://www.cisco.com/web/partners/tools/pdihd.html -
Identity firewall with Single Forest/Multi-Domain
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.
Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:
I have 3 domains.
domain1.test.com
domain2.domain1.test.com
domain3.domain2.domain1.test.com
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2\user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.
The cisco documentation states the following:
•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine).
Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.
Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. I wanted to ask though before I blow everything up and start over. The instructions are not overwhelming clear on what needs to done in this scenario. Suggestions?Hi Matthew,
If I understand your post correctly, the problem is that the ASA is unable to search users in domain2, correct? This portion of the communication is unrelated to the AD Agent, but it sounds like the Agent can talk to the DC just fine. The ASA searches for users directly on the DC via LDAP queries. The communication between the ASA and the Agent is all done via RADIUS.
If the above is correct, I would focus on why the LDAP queries are failing between the ASA and the domain2 DC. Feel free to open a TAC case on this as well for additional assistance from the AAA experts.
-Mike -
Unable to see interface on ASA 5510 Firewall
Hi All,
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 x.x.x.x YES CONFIG up up
Ethernet0/1 x.x.x.x YES CONFIG up up
Ethernet0/2 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.1.1 YES CONFIG up up
Please suggest what could be the reason.
Regards
PankajHi Ramraj,
Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
fy-a# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(5)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fy-a up 1 day 1 hour
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 2c54.2d0c.8f1a, irq 9
1: Ext: Ethernet0/1 : address is 2c54.2d0c.8f1b, irq 9
2: Ext: Ethernet0/2 : address is 2c54.2d0c.8f1c, irq 9
3: Ext: Ethernet0/3 : address is 2c54.2d0c.8f1d, irq 9
4: Ext: Management0/0 : address is 2c54.2d0c.8f1e, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1AXXXXX
Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
fy-a#
Ramraj please do correct me if am wrong.
Please do rate if the given information helps.
By
Karthik
Maybe you are looking for
-
History and Future Bucket of the Data View
Hi Experts As per my Client Requirement Planning for the Next year Jan 2010 u2013 Dec 2010 which Starts in the second Quarter of the Year 2009. They need historical data (Historical Time Bucket) of Last 3 years in the monthly bucket and Future bucket
-
Opening PDF files in Reader itself takes a long time
When I try opening PDF Files in Reader itself, this process takes a long time (more then 2 minutes for opening PDF files). When I try opening PDF Files directly from My computer, My documents: no problem (direct opening). Running Reader XI on Windows
-
Impossible to program a Kintex-7 with Vivado Lab Edition 2015.[1,2]
Hello, I'm trying to program a Kintex-7 160T with a Platform USB Cable and Vivado Lab Edition 2015.1 and 2015.2. The JTAG chain is shown on the screenshot below: It is possible to program very small bitstream (~600KiB). But when the bitstreams become
-
Before I spend 10 bucks on the numbers app for iPad I have a few general questions. The main one being how compatible is excel and numbers. I want to know if I import a sheet I was working with in excel to numbers and that sheet has formulas, charts,
-
Unit of measure problem between Order UOM, Base UOM and Inspetion UOM
Material: ROH-001 Base UOM: Meter Order UOM: Kilogram Inspection UOM: Roll I have already maintained conversion factor in material master between meter and kilogram. Is there any way to maintain KG in inspection plan header level and Roll in inspecit