EIGRP SHA Authentication for Cisco ASA

Similar Messages

• Interactive Commands in NetConfig for Cisco ASA

  Hi,
  Maybe anyone knows, does CiscoWorks LMS supports this feature for Cisco ASA or I'm doing something wrong? I've sent interactive command "copy tftp: flash: <R>ip_address<R>asa841-k8.bin<R><R>"  to my ASA using netconfig tool and recived error "Command(s) failed on the device Insufficient no. of interactive responses(or timeout) for command: copy tftp: flash: ." For Cisco Catalyst it works fine. I have a last version of CiscoWorks 4.0.1.

  No, SWIM doesn't support ASDM upgrades, but what you're doing here is a system software upgrade.  What you might try doing is to increase the telnet timeout for this device.  Unfortunately, that feature is hidden in LMS 4.0, but see this document on how to do that:
  https://supportforums.cisco.com/docs/DOC-15162
  The document talks about inventory collection, but the interface to adjust the telnet timeout is in the same location as the SNMP timeout.  You'll want to time the transfer to know how long to make the timeout.

• How we archieve configuration for Cisco ASA 5500 series appliances

  Hi,
  We need to archieve configuration for Cisco ASA 5500 series appliances.
  We have Cisco works LMS 3.0.1.
  Device package installed is 4.2
  Any help would be appricated.
  Thanks in advance.
  Samir

  Hi ,
  Thanks for your answer.
  Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
  Cisoworks. Am I correct ?
  Waiting for your reply.
  thanks,
  Samir

• Is it recommend to have a vulnerability scan for Cisco ASA device.

  Dear everyone. 
  I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report. 
  Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

  Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?
  If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.
  If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

• Security monitoring tool for Cisco ASA

  Please suggest a checp and best security monitoring tool for Cisco ASA devices.

  You can use ossec, open source tool installed on linux:
  http://www.ossec.net/

• Manually start RADIUS, Authentication and groups for Cisco ASAs

  I am testing moving a 10.7 server to 10.8.
  We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past.  In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service.  With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service.  The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
  I have found the clients file in /etc/raddb and added our ASAs to the clients list.  I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
  I need help with:
  1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
  2- Can anyone tell me how to turn on RADIUS?  radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
  Thanks

  With David's suggestion I was able to get RADIUS running.  The following assumes that you are comfortable with Terminal and would be able to back up any files you edit.  Here is what I did to our fresh installation of 10.8 Server:
  In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window.  The last line after this entry should be something similar to "Ready to process records."  In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
  In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed.  Scroll down in the file to the section where there are "instantiate" items.  I commented out the SQL setup, by putting a # before the line that says "sql".  Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor.  I redid step number 1 twice and eventually RADIUS was running.  Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future.  OS X Server adds its clients in an SQL database according to the programming notes in the .conf files.  I will only be using our Cisco ASAs so SQL is not relevant to our setup.
  Testing the running RADIUS server was easy as well.  In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed.  This file contains details for users if you wanted to add them manually to the RADIUS server.  For testing purposes I removed the # before a line referring to a user "steve."  I had to get RADIUS restarted to take up the new information about Steve.  I killed the process using Activity Monitor and reran step number 1.
  In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t".  You should get back a positive authentication message.  Switching back to the original tab will show the output of the RADIUS server.
  Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
  RADIUS is now running and authenticating against its own users file.
  Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them.  In Terminal enter "sudo pico /etc/raddb/clients.conf".  We added lines for our ASAs, following the samples in the code.  The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
  Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius".  This created the sacl for the service.  Editing of the associated users and groups permitted to use the service was able to be done in Server.  Be sure to select from the View menu "Show system accounts".  Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created.  The RADIUS sacl can then have groups and users added to it.
  To ensure that RADIUS is running and stays running enter the following in Terminal.  First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window.  Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
  I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA.  I was also able to authenticate a user which had been added to the "Users" in Server.  It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
  I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
  Once I have everything running properly, I will add a post here to close this discussion.
  If anyone can shorten this procedure please let us know what you suggest.
  -Erich

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• EIGRP and DMZ distribution - Cisco ASA

  I have been able to get EIGRP  working successfully in the lab like I want.
  Attached is the network overview:
  We have a Data Center and Corporate office connected via Point to Point Fiber link, eventually we will have two of these
  Two 4948E switches in the Data center acting as cores setup with GLBP
  Corporate Office has a 3750X acting as a core
  Currently two 4948E's are connected to each other via Port Channel and a L2 trunk
  Two set of ASA 5520's one acting as a firewall and for Cisco Any Connect and second for site to site VPN
  What is the best way/pratice that I can distribute this DMZ via EIGRP?  Should I just leave it static on the core like this?
  DMZ Net = 192.168.150.0/24
  Inside Interface = 192.168.200.255
  On the core I create a static route "ip route 192.168.150.0 255.255.255.0 192.168.200.255".  Or a statement like this would be better for future DMZ additions "ip route 0.0.0.0 0.0.0.0 192.168.200.255"?

  Hello Mohammad,
  I would recommend you to advertise them via EIGRP, better funcionality, escalability,etc,etc,etc.
  Regards

• Port Forwarding for Cisco ASA 5505 VPN

  This is the Network
  Linksys E2500 ---> Cisco ASA 5505 ---> Server
  I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
  Thank You

  For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
  Command to enable NAT-T on ASA:
  crypto isakmp nat-traversal 30

• Maximum number of connection profiles and group policies for Cisco ASA

  Hi,
  We have a Cisco ASA 5520 running 8.0(2) that we use only for Remote Access VPN.
  Does anyone know how many connection profiles and group policies that are supported on the box? I have not been able to find this in the manual.
  Thanks in advance for your help!
  Best regards,
  Harry

  There is no limit for connection profiles or group policies that can be configured on ASA. However the numbers do depend upon the memory available in the device as the profiles are stored in memory during execution.

• TACACS+ configuration for Cisco ASA

  I tired configuring TACACS+ configuration for ASA but unable to complete it. I have ACS 3.3 for all other Cisco Routers and Switches

  Leo,
  I was looking around and come across this post. It's very late, however, wanted to add my inputs for other community members.
  RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+  with ASDM 6.2+.
  If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.
  CSCtf23419    ASDM OTP authentication support in multi-context and transparent modes
  With WLC is yet not possible and there is a enhancement request filed.
  CSCuf61598    WLC: Need ability to support multiple sessions via OTP authentication
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• TACACS+ Authentication For Cisco NAM

  Hi All,
  I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
  For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
  Please advise.
  Thks and Rgds

  Steven
  I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
  If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
  HTH
  Rick

• Cisco internet filtering for cisco asa 5515x

  hi all,
  i know either websense or smartfilter (btw, mcaffee is now not selling smart filter anymore) can be used in 5515x internet filtering but does cisco have it's own filtering software for its product?  please don't give an appliance, my company is small.
  I'm tempting to use the default CLI command but there's no reporting on it i think.  Can it provide reporting for user access?  If it yes, please provide on how to do that.
  thanks!

  I just installed the ASA CX (http://www.cisco.com/en/US/products/ps12521/index.html) onto my software module on the ASA 5512-X. All it required was a SSD and license for the software. If you know anything about the Ironport Web Security Appliances, ASA CX is basically the IronPort WSA running on the sw-module of the ASA.
  The on-box version of the reporting/configuration engine (Cisco Prime Security Manager "PRSM") is simple but effective. Longer-term storage and drill-down reports requires an appliance or VMware virtual machine with the full-blown PRSM.
  The neat thing about the CX is the ability to block not just domains, but drill down and block specific application features. Say you want to block Facebook Games but not Facebook itself, it is a simple configuration on the ASA CX.
  I believe there is also a cloud version of it you can purchase, but I'm not sure of the details.
  Good luck!

• Can anyone provide me details and fix for Shell Shock vulnerability for Cisco ASA version 5?

  We came to know frm our compliance team that we are running into shell shock vulnerabity therefore wanted to know the fix and document..

  Hi James,
  We do have a PSIRT filed for shell shock vulnerability, please refer details below:
  CSCur00511    ACS evaluation for CVE-2014-6271 and CVE-2014-7169
  https://tools.cisco.com/bugsearch/bug/CSCur00511/?reffering_site=dumpcr
  Here is the fixed code information for individual versions:
  Fixed Code:
  Patch for DDTS CSCur00511 is ready and available on CCO.
  The patch is included in all cumulative patches from version 5.4.0.46.7/5.5.0.46.6/5.6.0.22.1 and later. We recommend that you download the latest cumulative patches.
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.4 / 5.4.0.46.0
  Patch filename: 5-4-0-46-.tar.gpg
  Readme and installaion instructions: Acs-5-4-0-46--Readme.txt
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.5 / 5.5.0.46
  Patch filename: 5-5-0-46-.tar.gpg
  Readme and installaion instructions: Acs-5-5-0-46--Readme.txt
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.6 / 5.6.0.22
  Patch filename: 5-6-0-22-.tar.gpg
  Readme and installaion instructions: Acs-5-6-0-22--Readme.txt
  Download from: CCO / Support / Download Software http://www.cisco.com/cisco/pub/software/portal/select.html?i=!y
  Select: Security / Identity Management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.3 / 5.3.0.40
  Patch filename: 5-3-0-40-.tar.gpg
  Readme and installaion instructions: Acs-53-Readme.txt
  Regards,
  Tushar Bangia
  Please do rate the post if you find it helpful!!

• Enable authentication for ASA

  hi,
  Im working on AAA authentication for an ASA (ASA 8.0(3) version) box thorough a TACACS+ server in ACS (4.2 version). The setup im working on includes several users in 3 classes: senior (privilege level 15), junior (privilege level 7) and monitoring (privilege level 0), user authentication and command authorization is working fine, however im having problems with enable authentication.
  When an user of junior class try to authenticate the enable password the authentication fails, according to the ACS's log "Tacacs+ enable privilege too low", however the privilege level in ACS for this class is set to level 7. Checking with a sniffer i have find out that the TACACS+ message for authentication sent by ASA is setting the privilege level as level 15, as you can see in the attached screenshot. Of course if the ASA is trying to authenticate enable for a level 15, the authentication will fail according to user's current level.I have local authentication configured in the ASA and it works fine including enable authentication.
  Anyone have had any issue with this or have any idea how resolve this issue?
  thanks all for your replies.

  Seems like you might be hitting bug CSCsh66748.
  Hope you have tried "enable " command to enter enable mode for specific users.
  BTW why are you using different privileges for enable when you already have command authorization in place.
  Regards
  Rohit