Devices Behind Firewall ACS 4.0 Local

Similar Messages

• Adding devices behind firewall

  i have just installed an AirPort Extreme and want to add my thermostat so i can access them remotely.  Do i need to add the MAC address and or IP Address of the thermostats?  How do i do this and where?

  Hi,
  TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
  For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
  Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
  Hope this helps.
  Rgds,
  AK

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• PAT with a single public IP and several servers behind firewall

  Hi,
  New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
  Single static public IP:  16.2.3.4
  Need to PAT several ports to three separate servers behind firewall
  One server houses email, pptp server, ftp server and web services: 10.1.20.91
  One server houses drac management (port 445): 10.1.20.92
  One server is the IP phone server using a range of ports: 10.1.20.156
  Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. 
  Here is what I have.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
  ASA Version 8.4(4)1
  hostname kaa-pix
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.20.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 16.2.3.4 255.255.255.0
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network server_smtp
  host 10.1.20.91
  object service Port_25
  service tcp source eq smtp
  object service Port_3389
  service tcp source eq 3389
  object service Port_1723
  service tcp source eq pptp
  object service Port_21
  service tcp source eq ftp
  object service Port_443
  service tcp source eq https
  object service Port_444
  service tcp source eq 444
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit icmp any any echo-reply
  access-list acl-out extended permit icmp any any
  access-list acl-out extended permit tcp any interface outside eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq smtp
  access-list acl-out extended permit tcp any object server_smtp eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq 3389
  access-list acl-out extended permit tcp any object server_smtp eq ftp
  access-list acl-out extended permit tcp any object server_smtp eq https
  access-list acl-out extended permit tcp any object server_smtp eq 444
  access-list acl-out extended permit tcp any object drac eq 445
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static server_smtp interface service Port_25 Port_25
  nat (inside,outside) source static server_smtp interface service Port_3389 Port_
  3389
  nat (inside,outside) source static server_smtp interface service Port_1723 Port_
  1723
  nat (inside,outside) source static server_smtp interface service Port_21 Port_21
  nat (inside,outside) source static server_smtp interface service Port_443 Port_4
  43
  nat (inside,outside) source static server_smtp interface service Port_444 Port_4
  44
  nat (inside,outside) source static drac interface service Port_445 Port_445
  object network obj_any
  nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous

  Thanks Lcambron...I got PPTP to work.  Everything else works fine.  I can access email, access my web server, FTP server, and PPTP server.  However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445.  So I have th following lines:
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit tcp any object drac eq 445
  nat (inside,outside) source static drac interface service Port_445 Port_445
  Am I missing something here?  Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening.  However, externally, i cannot telnet to my external ip address of the ASA through port 445. 
  Thanks

• Issue with Adobe flex data.xml file not reachable from bsp behind firewall

  Hi Gurus,
  I have a problem with the <mx:HTTPService> tag the following is the actual tag,
  <mx:HTTPService
  id="Srv"
  url="data.xml"
  useProxy="false"
  method="POST" result="resultHandler(event)"/>
  When accessed locally I can see the data in the flex as the data.xml can be reached. when the same is accessed from internet behind firewall, the url is entirely different and the .swf file in the BSP page cannot access the data.xml. I cannot give the absolute url in the tag as the BSP page application is accessed differently in different servers. any help on this would be greatly appreciated
  Thanks
  Akbar

  Sorry somehow I missed this question, an even easier way to do this is to allow your Flash movie to "script" ( this is the default behavior for a Flex application ) and then call some javascript to obtain exactly what the page URL is and then go from there to get your data:
  import flash.external.ExternalInterface;
  import mx.utils.URLUtil;
  var
  if(ExternalInterface.available){
       pageURL = ExternalInterface.call("window.location.href.toString");
  // Do whatever you need with the URL here.
       var serverName:String = URLUtil.getServerNameWithPort(pageURL);
  -d

• Can Cisco Device Manager Support ACS Authentication?

  Background:
  My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
  Problem:
  My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

  Hi,
  Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
  With HTTP v1 server, same method list is picked, that is used by VTY lines.
  With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
  After the fix of the above mentioned bug, we have some different sent of commands that we can use.
  I would suggest you to give this a try,
  aaa authentication login CONSOLEandHTTP tacacs+ local
  aaa authorization exec CONSOLEandHTTP if-authenticated
  ip http authentication aaa
  line con 0
  login authentication CONSOLEandHTTP
  authorization exec CONSOLEandHTTP
  For detail please refer,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
  Regards,
  Prem

• Wireless printing behind firewall

  Greetings. Since upgrading to 10.5, I am no longer able to wirelessly print behind firewall unless I check "set access for specific services and applications" under system preferences/security/firewall (on computer allowing printer sharing). I would think that I could print after checking "allow only essential services," since printer sharing is on, and this shows in the list of "specific services" allowed. I was hoping that this would be solved after upgrading to 10.5.3, but it is not.
  This applies to all connected USB printers. Router is a Lyksys WRT54GS.
  Although probably unnecessary, I would prefer to use the more secure firewall setting ( "allow only essential services"). Any ideas would be appreciated.

  You need to have the right equipment. You have to put ISP equipment on the DMZ. What you need is an access point that resides on your inside internal network. This AP will associate clients and would place these clients on your internal network. Then you would configure your infrastructure to route the traffic how you wish. The reason you can't do what you want is that an ISP wifi router only has one route it knows..... That is what it knows from the wan port. So all traffic leaves the wan port via the ISP default gateway.
  Posted from my mobile device.

• Multiple Public IP's on one physical interface for devices behind Router.

  Hi guys, I am trying to find information on applying multiple IP addresses to a router
  basically one for the Router itself and then some for the devices behind the router, Which i am sure I need to apply some 1 to 1 NATs. I just do not know if i need to specify all the IP addresses on the main interface.
  Example being I have a router with WAN ip of xxx.xxx.xxx.xxx/25 , it only has 2 interface one for WAN one for LAN, i have a server I would like assigned its own public IP address.  but still on the same LAN network.
  Could someone help me out and point me in the right direction with a sample config

  I agree with the previous response that you need a static NAT to allow outside resources to initiate traffic to your server. You also will need NAT or PAT using the router interface address to allow the other hosts in your network to access outside.
  You do not need to configure any other of the addresses on the router interface other than the primary IP that you assign to the router interface. As long as the other addresses are used for NAT/PAT they are configured in the nat statements and not on the physical interface.
  HTH
  Rick

• ITunes Ver 10.6 Radio will not play behind firewall

  iTunes Ver 10.6 Radio will not play behind firewall while version 10.5 works just fine.
  I uninstalled and reinstalled a fresh version of 10.6 rather than just upgrading and still not working.
  Our Firewall is BlueCoat....
  Works just fine outside the firewall..
  Anyone have any suggestions?
  Thanks in Advance
  david

  Update:
  I also noticed that version 10.5 doesn't prompt for Proxy credentials while version 10.6 does...
  thanks in advance
  d

• SMTP behind Firewall

  We have a sever behind firewall, the SMTP ports are opened on firewall. When the application tries to send mail using java mail API, I get the following error. Anything worng with firewall (or) mail api ?
  javax.mail.SendFailedException: Sending failed;
  nested exception is:
  javax.mail.MessagingException: 530 5.7.3 Client was not authenticated
  at javax.mail.Transport.send0(Transport.java:219)
  at javax.mail.Transport.send(Transport.java:81)

  I think you have made it to the mail server (sounds like exchange). Looks like the server is setup to require authentication on incoming SMTP requests. Look here
  http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20250036.html
  Of course, I could be wrong and your firewall has a custom message for SMTP traffic which isn't coming from a 'authorized' mail server or a authenicating proxy server.

• Device authorisation on ACS

  Hi All, Can any one help me on Device authentication on ACS server. I have WI-FI setup with some lighteight access point & Wireless controller (WiSM). Now I want to controll device access like PDA can have limited access to network over wireless where as laptop users have unlimited access to network..I have configured single SSID & multiple vlans with the help of ACS 4.1.I can not configure another SSID on controller.Even I can not configure different user ID for PDA users, they want to use Windows User ID on laptop as well as on PDA. So I dont have option to controll PDA & Laptops on user id & ssid basis. Is there any other way to controll these devices on ACS or wireless controller so that I can controll the devices's access.
  Thanks

  Hi,
  That is quite interesting....
  What I can think of right now is to use NAP.
  Filter the authentication request based on MAC address, calling station ID, that will come in Access Request.
  PDA's (if of a particular manufacturer) will have some similarity in MAC address as compared to Laptops.
  Which, you can filter based on Advanced Filtering option.
  And once that request comes under the defined NAP, for for RAC, and configure radius attribute 64, 65 and 81, to make PDA's go into different VLAN's as compared to Laptops.
  Logically it should work, if I understand this correctly :)
  Worth a try.
  Please share the results, if you decide to go for it.
  Regards,
  Prem

• Accessing application 11.5.7  through internet and behind firewall

  Hi,
  We are going to install Oracle application 11.5.7 on Sunsolaris 8 on Single Node. We want to access our application through internet i.e www.abc.com/myapplications, is it possible. what are the prerequistes for this.
  And one more thing, our application are going to be behind firewall. what are all the precautions do I need to take before I install.
  Are there any documents in the metalink or in any other website.
  Any help on this is highly appreciated.
  Thanks
  Giri

  shailendra
  in apps when you are connecting to database using sqlplus you should mention the service name too.this could be generally your sid name , for example : system/manager@prod.
  regarding your second query sysadmin is the default username created by apps to carry out the system administration , and this user has number of responsibilities defined , out of which application developer is one such responsibility. so when you login using this username then you have to metion to the apps by what responsibility you want to carry with you.
  if you want to directly login to application developer responsibility ,then create one user and assign him this responsibility. login with this user.
  Any way you have one more default user is there called operations and password is welcome
  hope this will helps you , pls get back with ur comments.
  Note: I request all the working APPS DBA's to share their knowledge in this forum.
  regards
  srinivas

• With itunes match live on my iOS devices, can I now remove all local music files from my PC to free up space?  There's no need to keep it if it will always be in the cloud.  Right?

  With itunes match live on my iOS devices, can I now remove all local music files from my PC to free up space?  There's no need to keep it if it will always be in the cloud.  Right?

  With itunes match live on my iOS devices, can I now remove all local music files from my PC to free up space?  There's no need to keep it if it will always be in the cloud.  Right?

• Updates Firmwire behind firewall

  Hii there...
  I have a weak question ..he..he...
  can I update my n70 firmwire if I behind firewall? I mean my firewall doesn't allow/permit the updater software to reach the internet connection...
  The firewall is integrated on server....

  You have to allow your firewall to let the NSU connect to the remote update servers. Without this, you'll just get "Unable to connect to NOL" messages on the software updater. =)

• What are prerequisite for Design Studio Client tool behind firewall?

  Hi Experts,
  Can you tell me what are prerequisites for Design Studio Client tool behind firewall?
  Best Regards,
  Pushkar

  Hi Pushkar,
  In which 'mode' would you like to use the Design Studio Client application. Connected to the BI platform, SAP HANA, etc?
  With kind regards,
  Martijn