Devices Behind Firewall ACS 4.0 Local
All,
I just read a post labeled "ACS 4.0 Behind Firewall" and it talked about opening ports 2004 to 5000 to access the ACS server that is behind the firewall. My question is does this same port range apply if you are trying to access and authenticate to a device that is behind a firewall. When I try to access one of my devices that is behind the firewall I can't authenticate through the ACS box so I end up using the local username and password. Can anyone tell me what ports I have to open on the firewall to allow the authetication to go back to the ACS server. Thanks
Hi,
TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
Hope this helps.
Rgds,
AK
Similar Messages
-
Adding devices behind firewall
i have just installed an AirPort Extreme and want to add my thermostat so i can access them remotely. Do i need to add the MAC address and or IP Address of the thermostats? How do i do this and where?
Hi,
TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
Hope this helps.
Rgds,
AK -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
PAT with a single public IP and several servers behind firewall
Hi,
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
Single static public IP: 16.2.3.4
Need to PAT several ports to three separate servers behind firewall
One server houses email, pptp server, ftp server and web services: 10.1.20.91
One server houses drac management (port 445): 10.1.20.92
One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.
Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
ASA Version 8.4(4)1
hostname kaa-pix
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 16.2.3.4 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server_smtp
host 10.1.20.91
object service Port_25
service tcp source eq smtp
object service Port_3389
service tcp source eq 3389
object service Port_1723
service tcp source eq pptp
object service Port_21
service tcp source eq ftp
object service Port_443
service tcp source eq https
object service Port_444
service tcp source eq 444
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any interface outside eq pptp
access-list acl-out extended permit tcp any object server_smtp eq smtp
access-list acl-out extended permit tcp any object server_smtp eq pptp
access-list acl-out extended permit tcp any object server_smtp eq 3389
access-list acl-out extended permit tcp any object server_smtp eq ftp
access-list acl-out extended permit tcp any object server_smtp eq https
access-list acl-out extended permit tcp any object server_smtp eq 444
access-list acl-out extended permit tcp any object drac eq 445
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server_smtp interface service Port_25 Port_25
nat (inside,outside) source static server_smtp interface service Port_3389 Port_
3389
nat (inside,outside) source static server_smtp interface service Port_1723 Port_
1723
nat (inside,outside) source static server_smtp interface service Port_21 Port_21
nat (inside,outside) source static server_smtp interface service Port_443 Port_4
43
nat (inside,outside) source static server_smtp interface service Port_444 Port_4
44
nat (inside,outside) source static drac interface service Port_445 Port_445
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymousThanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit tcp any object drac eq 445
nat (inside,outside) source static drac interface service Port_445 Port_445
Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.
Thanks -
Issue with Adobe flex data.xml file not reachable from bsp behind firewall
Hi Gurus,
I have a problem with the <mx:HTTPService> tag the following is the actual tag,
<mx:HTTPService
id="Srv"
url="data.xml"
useProxy="false"
method="POST" result="resultHandler(event)"/>
When accessed locally I can see the data in the flex as the data.xml can be reached. when the same is accessed from internet behind firewall, the url is entirely different and the .swf file in the BSP page cannot access the data.xml. I cannot give the absolute url in the tag as the BSP page application is accessed differently in different servers. any help on this would be greatly appreciated
Thanks
AkbarSorry somehow I missed this question, an even easier way to do this is to allow your Flash movie to "script" ( this is the default behavior for a Flex application ) and then call some javascript to obtain exactly what the page URL is and then go from there to get your data:
import flash.external.ExternalInterface;
import mx.utils.URLUtil;
var
if(ExternalInterface.available){
pageURL = ExternalInterface.call("window.location.href.toString");
// Do whatever you need with the URL here.
var serverName:String = URLUtil.getServerNameWithPort(pageURL);
-d -
Can Cisco Device Manager Support ACS Authentication?
Background:
My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
Problem:
My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?Hi,
Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
With HTTP v1 server, same method list is picked, that is used by VTY lines.
With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
After the fix of the above mentioned bug, we have some different sent of commands that we can use.
I would suggest you to give this a try,
aaa authentication login CONSOLEandHTTP tacacs+ local
aaa authorization exec CONSOLEandHTTP if-authenticated
ip http authentication aaa
line con 0
login authentication CONSOLEandHTTP
authorization exec CONSOLEandHTTP
For detail please refer,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
Regards,
Prem -
Wireless printing behind firewall
Greetings. Since upgrading to 10.5, I am no longer able to wirelessly print behind firewall unless I check "set access for specific services and applications" under system preferences/security/firewall (on computer allowing printer sharing). I would think that I could print after checking "allow only essential services," since printer sharing is on, and this shows in the list of "specific services" allowed. I was hoping that this would be solved after upgrading to 10.5.3, but it is not.
This applies to all connected USB printers. Router is a Lyksys WRT54GS.
Although probably unnecessary, I would prefer to use the more secure firewall setting ( "allow only essential services"). Any ideas would be appreciated.You need to have the right equipment. You have to put ISP equipment on the DMZ. What you need is an access point that resides on your inside internal network. This AP will associate clients and would place these clients on your internal network. Then you would configure your infrastructure to route the traffic how you wish. The reason you can't do what you want is that an ISP wifi router only has one route it knows..... That is what it knows from the wan port. So all traffic leaves the wan port via the ISP default gateway.
Posted from my mobile device. -
Multiple Public IP's on one physical interface for devices behind Router.
Hi guys, I am trying to find information on applying multiple IP addresses to a router
basically one for the Router itself and then some for the devices behind the router, Which i am sure I need to apply some 1 to 1 NATs. I just do not know if i need to specify all the IP addresses on the main interface.
Example being I have a router with WAN ip of xxx.xxx.xxx.xxx/25 , it only has 2 interface one for WAN one for LAN, i have a server I would like assigned its own public IP address. but still on the same LAN network.
Could someone help me out and point me in the right direction with a sample configI agree with the previous response that you need a static NAT to allow outside resources to initiate traffic to your server. You also will need NAT or PAT using the router interface address to allow the other hosts in your network to access outside.
You do not need to configure any other of the addresses on the router interface other than the primary IP that you assign to the router interface. As long as the other addresses are used for NAT/PAT they are configured in the nat statements and not on the physical interface.
HTH
Rick -
ITunes Ver 10.6 Radio will not play behind firewall
iTunes Ver 10.6 Radio will not play behind firewall while version 10.5 works just fine.
I uninstalled and reinstalled a fresh version of 10.6 rather than just upgrading and still not working.
Our Firewall is BlueCoat....
Works just fine outside the firewall..
Anyone have any suggestions?
Thanks in Advance
davidUpdate:
I also noticed that version 10.5 doesn't prompt for Proxy credentials while version 10.6 does...
thanks in advance
d -
We have a sever behind firewall, the SMTP ports are opened on firewall. When the application tries to send mail using java mail API, I get the following error. Anything worng with firewall (or) mail api ?
javax.mail.SendFailedException: Sending failed;
nested exception is:
javax.mail.MessagingException: 530 5.7.3 Client was not authenticated
at javax.mail.Transport.send0(Transport.java:219)
at javax.mail.Transport.send(Transport.java:81)I think you have made it to the mail server (sounds like exchange). Looks like the server is setup to require authentication on incoming SMTP requests. Look here
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20250036.html
Of course, I could be wrong and your firewall has a custom message for SMTP traffic which isn't coming from a 'authorized' mail server or a authenicating proxy server. -
Hi All, Can any one help me on Device authentication on ACS server. I have WI-FI setup with some lighteight access point & Wireless controller (WiSM). Now I want to controll device access like PDA can have limited access to network over wireless where as laptop users have unlimited access to network..I have configured single SSID & multiple vlans with the help of ACS 4.1.I can not configure another SSID on controller.Even I can not configure different user ID for PDA users, they want to use Windows User ID on laptop as well as on PDA. So I dont have option to controll PDA & Laptops on user id & ssid basis. Is there any other way to controll these devices on ACS or wireless controller so that I can controll the devices's access.
ThanksHi,
That is quite interesting....
What I can think of right now is to use NAP.
Filter the authentication request based on MAC address, calling station ID, that will come in Access Request.
PDA's (if of a particular manufacturer) will have some similarity in MAC address as compared to Laptops.
Which, you can filter based on Advanced Filtering option.
And once that request comes under the defined NAP, for for RAC, and configure radius attribute 64, 65 and 81, to make PDA's go into different VLAN's as compared to Laptops.
Logically it should work, if I understand this correctly :)
Worth a try.
Please share the results, if you decide to go for it.
Regards,
Prem -
Accessing application 11.5.7 through internet and behind firewall
Hi,
We are going to install Oracle application 11.5.7 on Sunsolaris 8 on Single Node. We want to access our application through internet i.e www.abc.com/myapplications, is it possible. what are the prerequistes for this.
And one more thing, our application are going to be behind firewall. what are all the precautions do I need to take before I install.
Are there any documents in the metalink or in any other website.
Any help on this is highly appreciated.
Thanks
Girishailendra
in apps when you are connecting to database using sqlplus you should mention the service name too.this could be generally your sid name , for example : system/manager@prod.
regarding your second query sysadmin is the default username created by apps to carry out the system administration , and this user has number of responsibilities defined , out of which application developer is one such responsibility. so when you login using this username then you have to metion to the apps by what responsibility you want to carry with you.
if you want to directly login to application developer responsibility ,then create one user and assign him this responsibility. login with this user.
Any way you have one more default user is there called operations and password is welcome
hope this will helps you , pls get back with ur comments.
Note: I request all the working APPS DBA's to share their knowledge in this forum.
regards
srinivas -
With itunes match live on my iOS devices, can I now remove all local music files from my PC to free up space? There's no need to keep it if it will always be in the cloud. Right?
With itunes match live on my iOS devices, can I now remove all local music files from my PC to free up space? There's no need to keep it if it will always be in the cloud. Right?
-
Updates Firmwire behind firewall
Hii there...
I have a weak question ..he..he...
can I update my n70 firmwire if I behind firewall? I mean my firewall doesn't allow/permit the updater software to reach the internet connection...
The firewall is integrated on server....You have to allow your firewall to let the NSU connect to the remote update servers. Without this, you'll just get "Unable to connect to NOL" messages on the software updater. =)
-
What are prerequisite for Design Studio Client tool behind firewall?
Hi Experts,
Can you tell me what are prerequisites for Design Studio Client tool behind firewall?
Best Regards,
PushkarHi Pushkar,
In which 'mode' would you like to use the Design Studio Client application. Connected to the BI platform, SAP HANA, etc?
With kind regards,
Martijn
Maybe you are looking for
-
i attempted to update my firefox last night, and when i did it casued me to have to reinstall adobe flahplayer and adblock. When i attempted to re-download these apps i couldn't. Now I don't have adblock and I can't watch videos because flashplayer w
-
Swing timer, setDealy issue in bouncing balls
Hi! I have a problem with an assignment with bouncing footballs. There are three classes; footBall which picks a football (soccer)from referencelibrary and here I have a swing timer. The next class is footballfield(fotBollsPlan) that also has a timer
-
Icon on home screen - yellow globe
I have only had my Blackberry for a few days but an icon appeared on it earlier today has which is exactly where new SMS and email notifications appear. It is a yellow globe like the browser icon and has a '1' next to it. I do not know what this mean
-
Is there any way to merge two or more clips together - within a movie project. If not... can I take clips, put into timeline, and export into something that would accomplish this... Thanks. David
-
Avg of accounts(parent member)
HI friends, I have product dim(in row), time(in col), qty/rate/amout(act dim member ids in col). Product jan2010(qty) jan2010(rate) jan2010(amount).......dec 2010(amount) p1 30 5 150 p2 10 5 50 .. p3 20 5 100 .. written scr