Command in cisco ASA to see security zones

Similar Messages

• Cisco ASA 5510 Content Security bundle

  Hello,
  please help me  to understand if i buy  the    Cisco ASA 5510 Content Security bundle  for  my  network   found  there is   1 yr subscription for the content
  security features.  what are  services included in it.  Does   URL blocking and filtering  includ  in this subscription  or  its a seperate features.
  Thanks,
  Saroj Pradhan

  Here is the license for CSC module and it lists what is included in Basic and Plus CSC license:
  http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
  One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc

• Iptables command "translated" Cisco ASA 5540 Ver 9.0(1)

  I would like to have these commands on our Firewall to avoid at least several students to use this service. Can someone help me to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.
  Thanks in advance.
  Hermano
  iptables -I INPUT -s hotspotshield.com -j REJECT
  iptables -I INPUT -s hotspotshield.net -j REJECT
  iptables -I INPUT -s anchorfree.com -j REJECT
  iptables -I INPUT -s anchorfree.net -j REJECT
  iptables -I INPUT -s openvpn.net -j REJECT
  iptables -I OUTPUT -d hotspotshield.com -j REJECT
  iptables -I OUTPUT -d hotspotshield.net -j REJECT
  iptables -I OUTPUT -d anchorfree.com -j REJECT
  iptables -I OUTPUT -d anchorfree.net -j REJECT
  iptables -I OUTPUT -d openvpn.net -j REJECT

  Check the following link, it should help you out.
  http://www.packetpros.com/2012/08/url-filter-on-asa.html

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

  Hello
  I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
  The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
  So I am stuck...
  What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
  I was hoping Azure's VPN solution would be very flexible.
  Thanks

  Hello RTF_Admin,
  1. Which is the Series of CISCO ASA device you are using?
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
  I hope that this information is helpful
  Thanks,
  Syed Irfan Hussain

• Cisco ASA Security Levels

  Hi All
  I have just started working on Cisco ASAs and working on following scenario:
  3 Depts having 3 separate Networks given following names
  Finance
  Accounts
  HR
  Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
  to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
  Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
  Thanks and Regards

  Hello,
  If all of the networks zone have the same security level for your company then you can use the same one on them.
  Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
  Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
  Regards,
  Rate all the helpful pots
  Julio
  Security Engineer

• Cisco ASA ( Adaptiv Security Algorithm )?

  Hello,
  Im french so sorry for my english , i will do my best to explain my question.
  Im actually working on Cisco PIX 501 ( for school ).
  I have to do some test on it , search what is able to do and how to proove it...
  My question is about Cisco ASA ( Adaptiv Security Algorithm ) , what is it doing? i mean it just simply stop every information coming from outside to inside(security 0 to 100) or is it doing more? is it searching wrong/good packets or just stop everything?and if it's doing that , how it's done?
  My question could be : what cisco ASA doing more than ACL?
  I hope im clear enough in my questions,i search a lot on internet but didnt find an answer.
  Thank you!
  Amaury

  if i understand good what you mean , ASA/algorithm is a part of different processes which are part of stateful inspection
  not really,  I would say that stateful inspection is part of the adaptive security algorithm.  The algroithm goes through processes such as ACL check, NAT..etc. and based on these check makes entries in the state table.
  ( by the way stateful inspection = stateful firewalling , right?)
  Kind of.  Stateful inspection is what the stateful firewall does and not what it is if you can understand that.  A stateful firewall performs stateful inspection.  So stateful inspection is not a firewall.
  when you said "showing tcp  connections and NAT xlate table entries at  the firewall CLI before and  after" , iam ok with that but what are the  command to check table entries? i cant find it.
  show conn protocol tcp will show you the TCP connections through the firewall and show xlate will show you the NAT translation that are currently active.
  Aswell i will need the commands to configure ( if possible ) stateful  inspection and traffic inspection , but i will try search by myself  because i didnt start yet
  Again, stateful inspection is not something you configure but is what the ASA does based on configured rules.  so all you need to do is configure ACLs and NAT rules and routing and the ASA does all the stateful inspection stuff on its own.
  Please remember to rate and select a correct answer

• Interactive Commands in NetConfig for Cisco ASA

  Hi,
  Maybe anyone knows, does CiscoWorks LMS supports this feature for Cisco ASA or I'm doing something wrong? I've sent interactive command "copy tftp: flash: <R>ip_address<R>asa841-k8.bin<R><R>"  to my ASA using netconfig tool and recived error "Command(s) failed on the device Insufficient no. of interactive responses(or timeout) for command: copy tftp: flash: ." For Cisco Catalyst it works fine. I have a last version of CiscoWorks 4.0.1.

  No, SWIM doesn't support ASDM upgrades, but what you're doing here is a system software upgrade.  What you might try doing is to increase the telnet timeout for this device.  Unfortunately, that feature is hidden in LMS 4.0, but see this document on how to do that:
  https://supportforums.cisco.com/docs/DOC-15162
  The document talks about inventory collection, but the interface to adjust the telnet timeout is in the same location as the SNMP timeout.  You'll want to time the transfer to know how long to make the timeout.

• Can't save Cisco ASA configuration in GNS3 via write memory command

  Hi all,
  I’m having a problem to save Cisco ASA configuration in GNS3 via write memory command.
     ciscoasa(config)# wr mem
     Building configuration…
     Cryptochecksum: c066a7ab b5b9071e bb5ee1f6 2d93be53
     %Error copying system:/running-config (Not enough space on device)
     Error executing command
     [FAILED]
     ciscoasa(config)#
  Here are the details of the lab setup.
  PC DETAILS:
     Windows 7 Enterprise SP1 64bit
     GNS3 v0.8.6 all-in-one (installer for 32-bit and 64-bit which includes Dynamips, Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark)
  ASA DETAILS:
     13,279,888 asa802-k8.bin.unpacked.initrd
     1,095,856 asa802-k8.bin.unpacked.vmlinuz
  Please advise. Thanks in advance.
  http://firewallengineer.wordpress.com/2014/02/19/problem-cisco-asa-in-gns3-error-copying-systemrunning-config-not-enough-space-on-device/

  instead of this:
  To create a flash file
  cd "C:\Program Files\GNS3\qemu-2.1.0"
  qemu-img.exe create c:\FLASH 256M
  try this:
  To create a flash file
  cd "C:\Program Files\GNS3\qemu-2.1.0"
  qemu-img.exe create c:\User\usuario\GNS3\FLASH 256M
  Let me know if is helpfull.

• Command to View LDAP Password on Cisco ASA 5520

  Hello
  I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
  Thanks!
  Matt

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Cisco ASA disable command line interface (CLI) vor VPN Remote Access users

  Hi,
  I have local database for a couple of VPN Remote Access users on our Cisco ASA 5510 firewall. When adding users i asigned them the privilege leve 0. Is it possible to completly disable CLI for theses users as they will only be using VPN Remote Access and do not need to access the appliance cli.
  Thanks in advance.
  Kind Regards,
  Marco

  Hi,
  We will need to use the vpn-filter or the ssh command to block ssh from the vpn pool.
  Regards,
  Vivek

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• Secure Zone - Team manager seeing team member activity

  We are setting up a secure zone where there are team managers, each with multiple team members.
  We need the team manager to be able to see their own activity - plus have access to their team members' activity/accounts.
  Is this possible?
  Paul

  Activity in terms of cases etc. If they have seperate logins then NO. This is secure information and private to that person so you can not access that.

• Content Security Licensing on Cisco ASA

  Hi Guys,
  Need help on licensing of content security on Cisco ASAs. Hope someone would be able to help.
  Our customer has a ASA5520-CSC20-K9 (default 500 users) appliance. When the appliance was first bought, they upgraded it to 750 user license and PLUS feature license. They want to renew these licenses. Kindly advise the following:
  1. In order to do so, is it right that the customer has to purchase both the following (to cater to the 750 users and PLUS features)?
  • L-ASACSC20-500UP1Y     ASA 5500 CSC-SSM-20 500-User w/ Plus Lic. Renewal (1-year)
  • L-ASACSC20-250UP1Y     ASA 5500 CSC-SSM-20 250-User w/ Plus Lic. Renewal (1-year)
  2. Do the renewal licenses above include BASE features (Anti-Virus, Anti-Spyware, File-Blocking)?
  Thanks!
  Citra

  That unfortunate.  It seems like with the VPN licensing they realized if you were in an active/standby configuration then you should only have to pay for one license, thus the license change in 8.3+ only requires you to purchase one license.  I thought this would have carried over into IPS. 
  Beings we haven't failed over to the standby unit in 2 years, would it be possible to install the IPS module in both the active and standby appliances, but just license the one in the active mode?  I don't care if we are running without IPS on the standby if we did have to failover for some amount of time.  Or does having it licensed on one and not the other mess with being in active/standby failover mode?

• CISCO ASA Commands - No Object Resolution

  How can I dump the configuration on a Cisco ASA where it does not resolve defined objects in the configuration?
  For example: show route produces an output with object name instead of network address

  Hi,
  If I understood you correctly then your problem is that instead of IP addresses you are seein names/text in the configurations?
  If this is true then I think your problem is probably because of the "name" configurations
  You can use the following command to view the current configurations
  show run names
  If you want to disable the name/IP pairing from showing on the configuration you can use the following command
  no names
  It should not remove any of the "name" configurations but rather disables them from being used/viewed in the configuration. You can re-enable it with  the command "names"
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni