Endpoint Assessment with ASA and Eset Smart Security

Hi,
I am trying to get ASA Endpoint Assessment working on a ASA 5510 with Eset Smart Secuirty VER 4.
It works great with Eset Smart-Security Version 3., but I am unable to get it working with Version 4.
From a "debug dap trace" it appears the variables are populated with bad information :
endpoint.as["SpyBot"].timestamp="1223424000";
endpoint.av["WmiAV"]={};
endpoint.av["WmiAV"].exists="true";
endpoint.av["WmiAV"].description="Eset unknown product";
endpoint.av["WmiAV"].version="4.0";
endpoint.av["WmiAV"].activescan="ok";
endpoint.av["WmiAV"].lastupdate="";
endpoint.av["WmiAV"].timestamp="";
Is there anything I can do ?
Any help, really appreciated.
Thanks
Matt
I am running 8.0(4) with csd_3.4.0373.pkg.
Endpoint Assessment 2.5.14.3

Hello Tarik,
Thanks for the info.
The clients are able to login. And in the ESET Smart Security configuration, the nac client application is added to the firewall rules which make nac active whatever the ports is used by the client.
Thanks
Patrick Y.

Similar Messages

  • Firefox or Thunderbird will not open with firewall enabled,(eset Smart Security)

    After the most recent update to Firefox, it now won't open until I disable my firewall. Once it is open I can enable the firewall again and all is good. The same thing happened to Thunderbird about two weeks previous. When I try to open either one when the firewall is on nothing happens, yet the process shows it's running in Task Manager. I have to end the process..disable firewall.. start Firefox and Thunderbird..then turn on firewall.

    After reading several posts in the Support Forum I tried a solution. I deleted the "sessionstore-backups" folder.
    Please try this: click the menu button ≡ and then click help ? > troubleshooting information > profile folder - "show folder". Then a new window will open up. In this window look out for a folder named "sessionstore-backups", delete this folder and restart firefox afterwards.
    The problem was resolved.

  • ESET Smart Security says there's a trojan in the plugin for Firefox

    I'm trying to install the Flash plug-in for Firefox and after being forced to use the dumb DLM, the DLM downloads the plugin and tries to install it but my ESET Smart Security  throws up a message:
    A variant of Win32//TrojanDropper.Agent.OVE trojan
    has been found and has been cleaned by deleting
    So basically I'm not able to install the plug-in for Firefox.
    What gives?

    You can hide the box that shows the snippets with code in userChrome.css
    Add code to [http://kb.mozillazine.org/UserChrome.css userChrome.css] below the @namespace line.
    <pre><nowiki>@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
    #snippetContainer {display: none !important; }</nowiki></pre>
    * http://kb.mozillazine.org/Editing_configuration
    * ChromEdit Plus: http://webdesigns.ms11.net/chromeditp.html

  • My eset smart security won't let me update video also foxfire won't reconidize my pass word to open email

    Details:
    Web page: http://ttb.updatevideos.com/download/request/51a9b6e65f1c1edb1f000000/6mAwFMTv?ClickID=AAAAAFIVSAA.eVABAAAAADzeUwAAAAAAAAAAAAAAAAAAAAcAAQABEs13awAAAAAApjhrAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwiRgAAAAAAAIBAgAAgD8AdNDHS0ABAAAAAAAAADNmODM4ZmJlLWZkNjItMTFlMi05MmZmLWJmZDEzYmM2NzE1YwAAAAAAAAA=&PubID=0
    Comment: Access to the web page was blocked by ESET Smart Security. The web page is on the list of websites with potentially dangerous content.
    Also firefox tells me my email password isn't valid. I've had the same password for years.

    Hello,
    The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information.
    Note: ''This will cause you to lose any Extensions, Open websites, and some Preferences.''
    To Reset Firefox do the following:
    #Go to Firefox > Help > Troubleshooting Information.
    #Click the "Reset Firefox" button.
    #Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
    #Firefox will open with all factory defaults applied.
    Further information can be found in the [[Reset Firefox – easily fix most problems]] article.
    Did this fix your problems? Please report back to us!
    Thank you.

  • Routing issue with ASA and UC540 phone system - at ASA???

    Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
    Here are some facts:
    1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
    2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
    3. The ASA is the default gateway for the PC.
    4. I have a route inserted at the asa that is:
                   route 10.1.10.1 255.255.255.0 10.19.250.254 1
    5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.
    6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
    7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
                   route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
         Is is only with this route that I am able to get to the web GUI on the phone system.
    8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1
    9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.
    Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
    Here are the routing tables:
    ASA:
    Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
    C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
    S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
    S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
    C    10.19.250.0 255.255.254.0 is directly connected, inside
    S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
    The UC540 phone system's router side:
    Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx
          10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
    C        10.1.1.0/24 is directly connected, BVI100
    L        10.1.1.1/32 is directly connected, BVI100
    C        10.1.10.0/30 is directly connected, Loopback0
    S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
    L        10.1.10.2/32 is directly connected, Loopback0
    C        10.19.250.0/23 is directly connected, BVI1
    L        10.19.250.254/32 is directly connected, BVI1
          XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
    L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
          172.16.0.0/24 is subnetted, 1 subnets
    S        172.16.100.0 [1/0] via 10.19.250.1
    The UC540's internal CUE server:
    Main Routing Table:
               DEST            GATE            MASK                     IFACE
          10.1.10.0            0.0.0.0           255.255.255.252       eth0
            0.0.0.0             10.1.10.2         0.0.0.0                    eth0
    Any help appreciated!!!
    Thanks!

    Hello,
    Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
    I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
    Here is a info page on the TCP State Bypass:
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
    Please let me know how it works out.

  • MS NLB with ASA and Static NAT from PUP to NLB IP

    Hi all,
    I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.
    ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
    I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.
    192.168.0.50 is the 1st VM
    192.168.0.51 is the 2nd VM
    192.168.0.52 is the cluster IP for heartbeat
    192.168.0.53 is the cluster IP for NLB traffic.
    0100.5e7f.0035 is the cluster MAC.
    The NLB cluster is using MULTICAST
    I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 
    For the ASA I found
    http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
    ASDM
    Configuration > Device Management > Advanced > ARP > ARP Static Table
    I was able to add my stic ARP just fine.
    However, the next step was to enable ARP inspection.
    Configuration > Device Management > Advanced > ARP > ARP Inspection
    My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
    For the CAT Switch I found
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
    I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
    On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.
    At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 
    So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.
    Result of the command: "show run"
    : Saved
    ASA Version 8.4(4)9
    hostname MP-ASA-1
    enable password ac3wyUYtitklff6l encrypted
    passwd ac3wyUYtitklff6l encrypted
    names
    dns-guard
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 198.XX.XX.82 255.255.255.240
    interface Ethernet0/1
    description Root Inside Interface No Vlan
    speed 1000
    duplex full
    nameif Port-1-GI-Inside-Native
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    interface Ethernet0/1.2
    description Managment LAN 1 for Inside Networks
    vlan 2
    nameif MGMT-1
    security-level 100
    ip address 192.168.180.1 255.255.255.0
    interface Ethernet0/1.3
    description Managment LAN 2 for Inside Networks
    vlan 3
    nameif MGMT-2
    security-level 100
    ip address 192.168.181.1 255.255.255.0
    interface Ethernet0/1.100
    description Development Pubilc Network 1
    vlan 100
    nameif DEV-PUB-1
    security-level 50
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/1.101
    description Development Pubilc Network 2
    vlan 101
    nameif DEV-PUB-2
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/1.102
    description Suncor Pubilc Network 1
    vlan 102
    nameif SUNCOR-PUB-1
    security-level 49
    ip address 192.168.3.1 255.255.255.0
    interface Ethernet0/1.103
    description Suncor Pubilc Network 2
    vlan 103
    nameif SUNCOR-PUB-2
    security-level 49
    ip address 192.168.4.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa844-9-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network Inside-Native-Network-PNAT
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network with PNAT
    object network ASA-Outside-IP
    host 198.XX.XX.82
    description The primary IP of the ASA
    object network Inside-Native-Network
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network
    object network VPN-POOL-PNAT
    subnet 192.168.100.0 255.255.255.0
    description VPN Pool NAT for Inside
    object network DEV-PUP-1-Network
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUP-1 Network
    object network DEV-PUP-2-Network
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUP-2 Network
    object network MGMT-1-Network
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1 Network
    object network MGMT-2-Network
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2 Network
    object network SUNCOR-PUP-1-Network
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUP-1 Network
    object network SUNCOR-PUP-2-Network
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUP-2 Network
    object network DEV-PUB-1-Network-PNAT
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUB-1-Network with PNAT
    object network DEV-PUB-2-Network-PNAT
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUB-2-Network with PNAT
    object network MGMT-1-Network-PNAT
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1-Network with PNAT
    object network MGMT-2-Network-PNAT
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2-Network with PNAT
    object network SUNCOR-PUB-1-Network-PNAT
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUB-1-Network with PNAT
    object network SUNCOR-PUB-2-Network-PNAT
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUB-2-Network with PNAT
    object network DEV-APP-1-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-APP-2-SNAT
    host 192.168.2.120
    description DEV-APP-2 Server with SNAT
    object network DEV-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-SQL-1
    host 192.168.0.110
    description DEV-SQL-1 Inside Server IP
    object network DEV-SQL-2
    host 192.168.2.110
    description DEV-SQL-2 Inside Server IP
    object network SUCNOR-APP-1-PUB
    host 198.XX.XX.XX
    description SUNCOR-APP-1 Public Server IP
    object network SUNCOR-APP-2-SNAT
    host 192.168.4.120
    description SUNCOR-APP-2 Server with SNAT
    object network SUNCOR-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network SUNCOR-SQL-1
    host 192.168.3.110
    description SUNCOR-SQL-1 Inside Server IP
    object network SUNCOR-SQL-2
    host 192.168.4.110
    description SUNCOR-SQL-2 Inside Server IP
    object network DEV-APP-1-SNAT
    host 192.168.0.120
    description DEV-APP-1 Network with SNAT
    object network SUNCOR-APP-1-SNAT
    host 192.168.3.120
    description SUNCOR-APP-1 Network with SNAT
    object network PDX-LAN
    subnet 192.168.1.0 255.255.255.0
    description PDX-LAN for S2S VPN
    object network PDX-Sonicwall
    host XX.XX.XX.XX
    object network LOGI-NLB--SNAT
    host 192.168.0.53
    description Logi NLB with SNAT
    object network LOGI-PUP-IP
    host 198.XX.XX.87
    description Public IP of LOGI server for NLB
    object network LOGI-NLB-IP
    host 192.168.0.53
    description LOGI NLB IP
    object network LOGI-PUP-SNAT-NLB
    host 198.XX.XX.87
    description LOGI Pup with SNAT to NLB
    object-group network vpn-inside
    description All inside accessible networks
    object-group network VPN-Inside-Networks
    description All Inside Nets for Remote VPN Access
    network-object object Inside-Native-Network
    network-object object DEV-PUP-1-Network
    network-object object DEV-PUP-2-Network
    network-object object MGMT-1-Network
    network-object object MGMT-2-Network
    network-object object SUNCOR-PUP-1-Network
    network-object object SUNCOR-PUP-2-Network
    access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
    access-list outside_access_out remark Block ping to out networks
    access-list outside_access_out extended deny icmp any any inactive
    access-list outside_access_out remark Allow all traffic from inside to outside networks
    access-list outside_access_out extended permit ip any any
    access-list outside_access extended permit ip any object LOGI-NLB--SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
    access-list outside_access extended permit ip any object DEV-APP-2-SNAT
    access-list outside_access extended permit ip any object DEV-APP-1-SNAT
    access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu Port-1-GI-Inside-Native 1500
    mtu MGMT-1 1500
    mtu MGMT-2 1500
    mtu DEV-PUB-1 1500
    mtu DEV-PUB-2 1500
    mtu SUNCOR-PUB-1 1500
    mtu SUNCOR-PUB-2 1500
    mtu management 1500
    ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any Port-1-GI-Inside-Native
    icmp permit any MGMT-1
    icmp permit any MGMT-2
    icmp permit any DEV-PUB-1
    icmp permit any DEV-PUB-2
    icmp permit any SUNCOR-PUB-1
    icmp permit any SUNCOR-PUB-2
    asdm image disk0:/asdm-649-103.bin
    no asdm history enable
    arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
    arp timeout 14400
    no arp permit-nonconnected
    nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    object network Inside-Native-Network-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network VPN-POOL-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network DEV-PUB-1-Network-PNAT
    nat (DEV-PUB-1,outside) dynamic interface
    object network DEV-PUB-2-Network-PNAT
    nat (DEV-PUB-2,outside) dynamic interface
    object network MGMT-1-Network-PNAT
    nat (MGMT-1,outside) dynamic interface
    object network MGMT-2-Network-PNAT
    nat (MGMT-2,outside) dynamic interface
    object network SUNCOR-PUB-1-Network-PNAT
    nat (SUNCOR-PUB-1,outside) dynamic interface
    object network SUNCOR-PUB-2-Network-PNAT
    nat (SUNCOR-PUB-2,outside) dynamic interface
    object network DEV-APP-2-SNAT
    nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
    object network SUNCOR-APP-2-SNAT
    nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
    object network DEV-APP-1-SNAT
    nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
    object network SUNCOR-APP-1-SNAT
    nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
    object network LOGI-NLB--SNAT
    nat (DEV-PUB-1,outside) static LOGI-PUP-IP
    object network LOGI-PUP-SNAT-NLB
    nat (outside,DEV-PUB-1) static LOGI-NLB-IP
    access-group outside_access in interface outside
    access-group outside_access_out out interface outside
    route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 outside
    http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
    http 192.168.180.0 255.255.255.0 MGMT-1
    http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
    : end
    Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 
    Thanks,
    Chris

    Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.
    Chris

  • WLAN and ESET Mobile Security

    A few weeks ago, I had a problem with WLAN on my phone Nokia E71; I was using the application ESET Mobile Security, and when i delete this application, the WLAN don´t work. Now, I reinstalled this application and WLAN is working fine. I recommend be carefull with this antivirus.

    phonehacker wrote:
    LOL you don't need antivirus. read this http://3lib.ukonline.co.uk/viruses.htm
    is this applied all S60 devices, such as S60 5th edition? (X6,N97,5800,etc.)
    Glad to help

  • Anyconnect endpoint assessment with anyconnect phones

    Hello,
    We are rolling out any connect endpoint assessment & would like to know what the impact is to existing any connect phones.
    We are looking to check on the OS version/domain membership/ & file checks. I'm not sure how this would impact VoIP endpoints as they are running firmware opposed to an OS.

    Hello
    Please forgive the shameless bump. Was hoping someone could help?
    Many thanks

  • SSO with ASA and CITRIX

    Hi,
    don't know whether this is the right forum, but i will try to ask my question in hope that somebody can give me an answer:
    I installed an ASA Security Appliance with WebVPN feature to connect to an internal Citrix Server farm. All authentication and authorization information are handled by a SecureACS, which is connected to ADS. All works fine. But now i want to Single-Sign-On to the citrix farm, means that the authentication information has to pass to citrix without entering the information twice...
    Is there anybody out there who got this working?? SSO with basic authentication to an Apache webserver works just fine...
    Which authentication informations are required for the Citrix Web Interface??
    Thanx in advance!
    Bernd

    My custpomer is using pure http between the citrix server and the citrix client, they want to access through the vpn concentrator using the webvpn feature, after checking the citrix metaframe option on the vpn concentrator, when they try to access the client hangs on and the error that we get is ssl should be installed on the citrix server, as we use ssl between the client and vpn concentrator, my question is could citrix be accessed via pure http between the citrix server and the client in this case how to fix this error, or are we obliged to use ssl even between the citrix server and the client.

  • ACS 5.3 Radius authentication with ASA and DACL

    Hi,
    I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
    Clients are connecting to an ASA 5510 with image asa843-K8.bin
    I followed the configuration example on the Cisco site, but I am having some problems
    First : AD identity is not triggered, I put a profile  :
    Status
    Name
    Conditions
    Results
    Hit Count
    NDG:Location
    Time And   Date
    AD1:memberOf
    Authorization   Profiles
    1
    TestVPNDACL
    -ANY-
    -ANY-
    equals Network Admin
    TEST DACL
    0
    But if I am getting no hits on it, Default Access is being used (Permit Access)
    So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
    I can see the DACL/ASA being authenticated in the ACS log but no success
    I am using my user which is member of the Network Admin Group.
    Am I missing something?
    Any help greatly appreciated!
    Wim

    Hello Stephen,
    As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
    ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
    As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
    In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
    In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
    I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
    Here is a snapshot of the section:

  • Dynamic Login Environment with LDAP and Database level security.

    JDeveloper 11.1.1.0.1 + ADF BC + ADF RC
    Hi everyone,
    We are ready to begin creating a dynamic login environment.
    We would like to be able to keep security on the database side, instead of in the application layer.
    We also want to be able to use Oracle LDAP for authentication.
    Can anyone suggest any good documentation for our situation?
    Highly appreciated. Thanks!

    Alexander,
    unlike in Forms, authentication is separate from connection. You can have individual user connections - like in Forms - but this most likely is not of best performance. A document and example for this to follow is
    http://radio.weblogs.com/0118231/2008/08/06.html#a902
    Note that authentication does not need to be hard coded in either way. If you use a single database connection and container managed authentication, then all users access the database from the same user account but can have their authenticated names passed through. In ADF BC you can use the prepareSession method on the ApplicationModule to pass the name to the database as a prepared statement (e.g. to set the predicate on a VPD database). However, using PLSQL for authorization is a bit difficult because the business logic, unlike in Forms isn't executed in PLSQL. You can look up PLSQ from ADF BC - or Java in general - but its a separate call.
    Frank

  • When an Endpoint Assessment Fails

    I have an ASA 5515-x running 9.03, and have AnyConnect clients running version 3.1.04063.  I am licensed for Advanced Endpoint Assessment and CSD.  The issue I am having is when I client connects using TrendMicro AV, and the Trend service is stopped, the Endpoint Assessment recognized this and attempts to start (which is good!), but it fails to start with the following warning logged:   
    [Tue Sep 03 10:53:38.957 2013][cscan][warn][scan_advanced_av] unable to enable antivirus (Trend Micro Client/Server Security Agent)
    At the end of the scan, it also logs that the check for activescan failed:
    [Tue Sep 03 10:53:43.668 2013][cscan][debug][get_data] endpoint.av["TrendMicroAV"].activescan="failed"
    The VPN conenction is then established and the user works as if everything passed (which is not good!).
    What I am looking for is: if restarting the service fails, like in this case, deny the connections and hopefully put up a friendly message that the access was denied because AV failed to start.
    Any ideas?    

    Hi Richard,
    you should be able to do this using DAP (Dynamic Access Policies) on the ASA, i.e. create a DAP rule that denies the connection if endpoint.av["TrendMicroAV"].activescan has a value of false, and a default rule that allows all other connections.
    see http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
    hth
    Herbert

  • Avast Antivirus for mac or Eset Cyber Security 6

    Considering many threats nowadays on the Internet, including malware related to false pages, phishing pages, Java threats, I consider important to count on a security solution.
    There are 2 of them I personally consider the best ones on the moment: Avast Antivirus for Mac and Eset Cyber Security 6.
    Well, considering two important aspects - detection (higher scores it's better) and performance (lower system usage resources - like processors usage - it's better).
    What is your opinion about them considering your experience?
    Which one would you choose?
    Thanks in advance!

    "Avast" is perhaps the worst of the whole wretched lot of commercial "security" products for the Mac. It's worse than the imaginary "viruses" you're worried about. Not only does it fail to protect you, it destabilizes and slows down your computer, and it sometimes or always corrupts the network settings and the permissions of files in your home folder. Removing it may not repair all the damage, and neither will Disk Utility or even reinstalling OS X.
    1. This comment applies to malicious software ("malware") that's installed unwittingly by the victim of a network attack. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the victim's computer. That threat is in a different category, and there's no easy way to defend against it. If you have reason to suspect that you're the target of such an attack, you need expert help.
    OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
    2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user, but internally Apple calls it "XProtect." The malware recognition database is automatically checked for updates once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
    The following caveats apply to XProtect:
    It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
    It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
    3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't necessarily been tested by Apple, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)
    Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
    It can easily be disabled or overridden by the user.
    A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
    An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
    For the reasons given above, App Store products, and other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. OS X security is based on user input. Never click anything reflexively.
    4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is presumably effective against known attacks, but maybe not against unknown attacks. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
    5. XProtect, Gatekeeper, and MRT reduce the risk of malware attack, but they're not absolute protection. The first and best line of defense is always your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the malware attacker. If you're smarter than he thinks you are, you'll win.
    That means, in practice, that you never use software that comes from an untrustworthy source, or that does something inherently untrustworthy. How do you know what is trustworthy?
    Any website that prompts you to install a “codec,” “plug-in,” "player," "extractor," or “certificate” that comes from that same site, or an unknown one, is untrustworthy.
    A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
    Pirated copies or "cracks" of commercial software, no matter where they come from, are unsafe.
    Software of any kind downloaded from a BitTorrent or from a Usenet binary newsgroup is unsafe.
    Software that purports to help you do something that's illegal or that infringes copyright, such as saving streamed audio or video for reuse without permission, is unsafe. All YouTube "downloaders" are in this category, though not all are necessarily harmful.
    Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. If it comes from any other source, it's unsafe.
    Even signed applications, no matter what the source, should not be trusted if they do something unexpected, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
    6. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
    Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
    Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it — not JavaScript — in your browsers.
    Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
    Follow the above guidelines, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself from malware.
    7. Never install any commercial "anti-virus" or "Internet security" products for the Mac, as they all do more harm than good, if they do any good at all. Any database of known threats is always going to be out of date. Most of the danger is from unknown threats. If you need to be able to detect Windows malware in your files, use the free software  ClamXav— nothing else.
    Why shouldn't you use commercial "anti-virus" products?
    Their design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere.
    In order to meet that nonexistent threat, the software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
    By modifying the operating system, the software itself may create weaknesses that could be exploited by malware attackers.
    8. ClamXav doesn't have these drawbacks. That doesn't mean it's entirely safe. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
    ClamXav is not needed, and should not be relied upon, for protection against OS X malware. It's useful only for detecting Windows malware. Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else.
    A Windows malware attachment in email is usually easy to recognize. The file name will often be targeted at people who aren't very bright; for example:
    ♥♥♥♥♥♥♥♥♥♥♥♥♥♥!!!!!!!H0TBABEZ4U!!!!!!!.AVI♥♥♥♥♥♥♥♥♥♥♥♥♥♥.exe
    ClamXav may be able to tell you which particular virus or trojan it is, but do you care? In practice, there's seldom a reason to use ClamXav unless a network administrator requires you to run an anti-virus application.
    9. The greatest harm done by security software, in my opinion, is in its effect on human behavior. It does little or nothing to protect people from emerging threats, but if they get a false sense of security from it, they may feel free to do things that expose them to higher risk. Nothing can lessen the need for safe computing practices.
    10. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.

  • IPhones and other smart phones being Excluded

    Has anyone seen an issue with iPhones and other smart phones being considered as excluded clients for the reason of Identity Theft? I am looking at one of my controllers and there are almost 680 excluded clients and most of them are smart phones and they are all being excluded for the same reason. It seems to be mostly iPhones but not all of the iPhones are experiencing the same behavior.
    There is a mix of AP types (AP1010s, 1131s and 3502s) and also a mix of controller types (44XX and 3508). I have not been able to find any information to explain this behavior on the phone side and/or the wireless side.
    Any suggestions would be appreciated.

    These devices are supposed to be allowed to connect to our network. The issue we are seeing is.....
    We have multiple WLANs, 2 secured and 1 open. Ideally the phones would be able to connect to all of them but they should only be connecting to the secured networks for work purposes. The only difference between the 2 secured networks is that one is only available on the B/G band and the other is on the A band. What I am seeing is that the excluded clients are only showing up as being excluded on the open network but when they get into this state they are not able to connect to the secured networks as well.
    After further investigation it seems that they are all iPhones and from what I can tell they are all running IOS 5. Our company does provide iPhones for some employees but there is a base build that is required and none of the company provided phones are having a problem, even the one running IOS 5. All of the phones with issues are personally owned phones so i cannot speak to their configuration.
    Thank you for our response as I am baffled.... I have been working with wireless for many years and this is confusing me.

  • Problem connecting wirelessly from iMac to NETGEAR router, get invalid password message with WPA and WPA-2 encryption in place but if I remove them, so no security, can connect without a problem. Help!!

    Problem connecting wirelessly from iMac to NETGEAR router, get invalid password message with WPA and WPA-2 encryption in place but if I remove them, so no security, can connect without a problem. Help!!

    Thank you for your suggestion but I have already had a couple of phone sessions with NETGEAR support and they don't see any problems with the router settings etc. They referred me to Apple support, who helped me discover that it is possible to communicate with the router but only if I turn off the encryption/security software, which I don't want to do. The frustrating thing is that I can connect wirelessly from a laptop running Windows 7 and two Anroid smart phones, with WPA-2 in place, without a problem. Do you have any other ideas?

Maybe you are looking for