Cisco ASA 5585-X SSP-20 SSL wildcard SSL certificate support ?

Similar Messages

• Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem

  Hi,
  We have a firewall service environment where logging is handled with UDP at the moment.
  Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
  You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
  The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
  "%ASA-3-201008: Disallowing new connections."
  Here start my questions:
  - New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
  - I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
  - Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
  - After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
  - As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
  At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
  Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
  It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
  Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
  - Jouni

  Hi,
  I FINALLY had the time to look at this issue as I was testing something else in our lab too.
  In short, here is what I did:
  I configured the TCP logging in the same way as in the original post
  I configured the TCP logging giving the commands in different order
  Did some other tests related to the proble
  Device used: ASA 5585-X
  Software: 8.4(2)
  Original Device and software : ASA 5585-X running 8.4(1)9
  Heres the above scenarions and what actually happened
  Original situation
  Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
  I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
  The firewall immediatly starts blocking all connections going through it.
  I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
  After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
  After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
  After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
  In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
  After this the connections work like usual. (UDP logging in the saved configuration)
  Giving the configurations in different order
  After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
  First I add the command "logging permit-hostdown" command
  Then I add the command "logging host tcp/1470"
  After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
  Removing the "logging permit-hostdown" command
  After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
  Configuring wrong TCP port to "logging host" command
  I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
  Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
  Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
  So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
  There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
  There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
  - Jouni

• Symantec PKI on Cisco ASA 5585

  I am using a Cisco ASA 5585 in my network, the decision was made to use Symantec PKIs for the certificates. My question is, what the correct syntex would be to implement these PKIs on the ASA. I am trying to get this on the first go, as I want to limit down time.

  Hi,
  250 virtual contexts and 1024 VLAN’s are supported.
  Don't forget to rate helpfull posts.
  Sajid Ali Pathan.

• Cisco asa 5585 syslog options for ips?

  We have CISCO ASA 5585 with a separate module for IPS, I want to know what are the options for configuring syslog? Its nearly impossible to find ; and there are some forums on the internet which says that cisco ips stores logs in native / proprietary format and cannot be exported.
  Please elaborate
  Thanks.

  Some sensor-related events generate syslog messages. Those will be forwarded according to the parent ASA syslog settings.
  Detailed IPS events (signature triggers actions etc.) are stored locally and must be retrieved using the SDEE protocol (tcp-based). That requires use of a management system like Cisco Security Manager (CSM), IPS Manager Express (IME) etc. There is a good document here that explains SDEE in more detail.

• Cisco asa 5585 MultiContext !!!!

  Hi,
  Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.???
  I am havin 5585-x and asa version 8.4
  thnx

  Hi,
  I found some more info see at this document
  http://www.cisco.com/en/US/partner/docs/security/asa/asa84/command/reference/ef.html#wp2016768
  Usage Guidelines
  In 8.4(1) and earlier in In multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system configuration. This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.
  In 8.5(1) and later in multiple context mode, you can set this command per context.
  When you change modes, the ASA clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.
  If you download a text configuration to the ASA that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the ASA changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the ASA clears all the preceding

• Nexus 7000 SSL wildcard SSL certificate support ?

  Hello
  i want to verify if Nexus 7000 supports Wildcard SSL's.
  Cheers

  I have the same problem on a 5515-X, and I've tried pretty much the  same things. The weird thing for me is that everything worked great  until I did an OS upgrade. Back on 8.6.1, my browser successfully  verified the certificate on my SSL VPN login page, and AnyConnect never  brought up any warning boxes. But after I upgraded to 9.1.3, the box was  back to using a self-signed cert. The wildcard identity certificate  seems to have just disappeared, though the GoDaddy CA cert and my local  CA cert both stayed intact.
  I've used OpenSSL to convert and verify my cert file  in a number of different ways, but all of my supposedly valid files  still get the import operation failed message. So it seems like there  was some OS change that suddenly made my wildcard incompatible, but I  haven't figured out what it is yet.
  Hope this helps, for both our sakes.

• Cisco ASA 5585 Product Numbers..

  Hello,
  I think this will be any easy one for someone.. what do you actually get with each of these product numbers?
  ASA5585-S60-2A-K9 - I suspect this might be a bundle.
  ASA-SSP-60-INC - From what I can tell this is the SSP-60 module.
  Thanks,
  Nick

  check the following link
  https://supportforums.cisco.com/document/47881/sdee-and-ips

• Command to View LDAP Password on Cisco ASA 5520

  Hello
  I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
  Thanks!
  Matt

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Vlan on asa-5585

  Hi,
  Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.
  The asa in this case is an interface for subsidary users to connect into this new network.
  We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.
  eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.
  How do we achieve this?
  Appreciate all help on this.

  Hi,
  You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.
  The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?
  In Single Context the configuration would be something like this
  interface GigabitEthernet0/0
  description TRUNK
  interface GigabitEthernet0/0.100
  vlan 100
  nameif LAN
  security-level 100
  ip add 10.10.10.1 255.255.255.0
  interface GigabitEthernet0/0.200
  vlan 200
  nameif DMZ
  security-level 50
  ip add 192.168.10.1 255.255.255.0
  If you are running Multiple Context mode the configuration could be something like this
  interface GigabitEthernet0/0
  description TRUNK
  interface GigabitEthernet0/0.100
  description LAN
  vlan 100
  interface GigabitEthernet0/0.200
  description DMZ
  vlan 200
  context EXAMPLE-CONTEXT
  allocate-interface GigabitEthernet0/0.100
  allocate-interface GigabitEthernet0/0.200
  config-url disk0:/EXAMPLE-CONTEXT.cfg
  Or something along these lines
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed.
  - Jouni

• ASA 5585 setting unchecked

  i am seeing a strange issue on 2 of my Cisco ASA 5585s
  randomly the "Enable inbound VPN sessions to bypass interface access list. Group...." setting is getting unchecked.
  i have verified that no one is logging into the system
  is this a bug in the firmware or the ASDM ?

  Hi,
  I have not run into this issue atleast.
  First and only thing that comes to mind is that someone is using the ASDMs VPN Wizard to configure new VPN connections and during that changes this Global Setting that you mention.
  On the CLI format the command is
  sysopt connection permit-vpn
  The above is the default setting and will mean that any traffic coming through a VPN connection will bypass the interface ACL of the interface where the VPN is connected to.
  The below form of the command changes the behaviour of the ASA so that any connection will need to be allowed in the interface ACL of the interface where the VPN is connected to.
  no sysopt connection permit-vpn
  You can view the current setting (among all the other system option settings) with
  show run all sysopt
  - Jouni

• Which routing protocols are supported on ASA 5585

  Hi,
  I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
  I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
  I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
  if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
  Thanks

  You're welcome.
  Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
  ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
  FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

• Tools use to monitor cisco asa

  Hi all,
  I just roll out a cisco asa 5540 and use it as a SSL vpn concentrator.
  Can i know what tools you use to monitor the cisco ASA, eg account with most number of login attempts, number of fail attempts etc
  TIA!

  You can look at Cisco Prime Collaboration Assurance if you're willing to upgrade to 10.0; they have started providing a free Standard license. They of course hope to upsell you to Advanced but the goal is for Standard to be an alternative to RTMT. There are also a plethora of ecosystem partners with product offerings in the Developer Marketplace.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Installing 3rd party certificate in Cisco ASA

  Hi, 
  We have configured an CSR in Cisco ASA for 3rd party CA to generate the certificate, however, the CSR configuration was lost because of some reason.
  How can we install this certificate without the CSR in Cisco ASA.  Or we have to generate another certificate from CA, it will be chargebale for the new certificate.
  Anyone can help to advise ?
  Thanks
  Veon

  You don't need the CSR once you have received the certificate from the third party certificate vendor. Just upload the CA Root certificate and the identity certificate from the certificate vendor to the ASA.
  Here is configuration guide for your reference:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
  Hope that helps.

• Wildcard SSL Cert on ASA 5500

  What do I need to do on the ASA 5520 to be able to use a wildcard SSL cert?  I'm running 8.2.5 code.

  Make sure you get the cert in pkcs12 format and no fqdn. Other than that, just follow the config guide.
  Sent from Cisco Technical Support Android App

• Wildcard SSL cert on ASA

  Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?

  Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.
  If you need help with configuration, let me know.
  You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)
  Regards,
  Roman