Firewalling vlans on Catalyst 6500 by using Cisco ASA Firewalls
Hello,
How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?
There are no free modules on Catalyst 6500 to install a FWSM module.
What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
Thanks
Hi Bro
Just to understand your question once again, you don't have anymore available slots in your present Cat6K, but you want to know how to secure your VLANs or SVIs that has been configured in your Cat6K?
If you were to ask me, I would not apply a bunch of ACLs in the Cat6K, for starters. You might wanna look into COPP (Control Plane Policing) instead. Furthermore you could also refer to this Cisco document http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml
However, if you do have Cisco ASA FW appliance (not module, I presume from your question), you could enable ACLs, threat-detection feature, IP Audit features, reverse-path policing, capping of the embryonic values etc.
P/S: If you think this comment is useful, please do rate them nicely :-)
Similar Messages
-
Dear All,
I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
Thanks
VijayHi Vijay,
If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you
HTH, -
Disabling ''igmp snooping'' in a VLAN (no interface VLAN) on Catalyst 6500
Can please some help?
On 4948 or 3560 I can disable igmp snooping in a specific VLAN:
sw4948(config)#no ip igmp snooping vlan ?
<1-1001> Vlan number
<1006-4094> Vlan number
sw4948(config)#no ip igmp snooping vlan 10 ?
explicit-tracking Enable IGMP explicit host tracking
immediate-leave Enable IGMPv2 immediate leave processing
last-member-query-interval Last member query interval
mrouter Configure an L2 port as a multicast router port
static Configure an L2 port as a member of a group
<cr>
BUT, in 6509-E this command is not enabled:
sw6509(config-if)#no ip igmp snooping ?
access-group IGMP group access group
limit IGMP limit
I have just found on my 6509 that I can disable igmp snooping in a SVI interface (Interface VLAN)
sw6509(config)#int vlan 20
sw6509(config-if)#no ip igmp snooping ?
access-group IGMP group access group
fast-leave Enable IGMP fast leave processing
last-member-query-interval Configure IGMP leave query timeout
limit IGMP limit
minimum-version Minimum IGMP version
mrouter Configure an L2 port as a multicast router port
querier Enable IGMP querier processing
report-suppression Force a report suppression
ssm-safe-reporting Enable SSM Safe Reporting
static Configure an L2 port as a member of a group
<cr>
My current 6509-E IOS version is:
System image file is "sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH8b.bin"
Do I need to upgrade my IOS version?... or how can I disable ''igmp snooping'' per specific VLAN (no Interface VLAN)?
Any help would be apreciated !
Regards
guruizHi Guruiz,
So, to disable igmp snooping in some VLANs in the 6509, do I need to disable it globally?
Would it be the only way?
That appears to be the only way. If you have an SVI for the vlan you want to run Multicast in, then simply enable PIM and not worry about IGMP snooping. I think, the reason you don't see this command under the layer-2 vlan is because most of the time the 6500 is used as layer-2/layer-3 and not just layer-2.
How could "no ip igmp snooping" applied globally impact my 6509 switch?
It will impact only the vlans that are running Multicast. In general, ip IGMP snooping is used when you have a flat vlan and no SVI. If you have multiple vlans and are running Multicast between them, then you can just enable PIM.
HTH -
VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)
Hi, I've been pulling my hair out trying to get simple vlan trunking working between these devices.
Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200. I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc). Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
VLAN 1 - inside (has separate dhcp scope assigned by ASA)
VLAN 99 - guest (has separate dhcp scope assigned by ASA)
SG200
purpose
ASA 5505 (Sec Plus license)
purpose
g2
Trunk 1UP,99T
Ubiquiti AP (VLAN 1 works, VLAN 99 does not
g3
Access port 99T
vlan 99 does not work
g8
Trunk 1UP, 99T
< Trunk between switch and ASA >
Int e0/2
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Int e0/3
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Second ubiquiti AP
Both VLAN 1 and VLAN 99 clients work properlyFrustrated - yes. Confused - maybe not as much, but I could have put some more effort into the overall picture.
There are two VLANs (1 - native) and (99 - guest). There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.
No clients connected to the SG200 on VLAN 99 are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP. The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
Anything connected to the SG200 on the native VLAN works properly.
Anything connected to the ASA VLANs (1 or 99) works properly
I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
SG200 g2 - trunk port (1UP, 99T) -- Access Point
SG200 g2 - access port (99U)
SG200 g8 - trunk port (1UP, 99T) connected to ASA5505 e0/3
ASA5505 e0/3 (switchport trunk allowed vlan 1,99, switchport trunk native vlan 1, switchport mode trunk)
Thanks, -
How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?
Hello there!
I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS throughput), what main points I should consinder?If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
- Bob -
NPAS: How do I use Cisco ASA RADIUS attribute 146?
We have a Cisco ASA 5520 running firmware 8.4.5 and are using it for AnyConnect SSL VPN. We are using Microsoft Network Policy and Access Services (NPAS) as a RADIUS server to handle authentication requests coming from the ASA.
We have three tunnel groups configured on the ASA, and have three Active Directory security groups that correspond with each one. At this time, we are using Cisco's vendor-specific RADIUS attribute 85 (tunnel-group-lock) to send back to the ASA a string
that corresponds to a policy rule in NPAS based on the matched group membership. This works in the sense that each user can only be a member of one of the three AD security groups used for VPN, and if they pick a tunnel group in the AnyConnect client
that doesn't correspond to them, the ASA doesn't set up the session for them.
Well, Cisco added vendor-specific RADIUS attribute 146 (tunnel-group-name) in firmware 8.4.3. This is an *upstream* attribute, and is one that is sent by the ASA to the RADIUS server. We would like to use this attribute in our policies in NPAS
to help with policy matching. By doing this, we could allow people to be in more than one VPN group and select more than one of the tunnel groups in the AnyConnect client, each of which may provide different network access.
The question becomes, how can I use this upstream RADIUS attribute in my policy conditions? I tried putting it in the policy in the Vendor-Specific section under Policies (the same place where we had attribute 85 defined), but this doesn't work.
These are just downstream attributes that the NPAS server sends back to the RADIUS client (the ASA). The ASA seems to ignore attribute 146 if it is sent back in this manner and the result is that the first rule that contains a group the user is a member
of is matched and authentication is successful. This is undesirable, because it means the person could potentially select a tunnel group and successfully authenticate even though that isn't what we desire.
Here is Cisco's documentation that describes these attributes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.htmlPhilippe:
Thank you for the response, but I am already aware how to use Cisco's group-lock or tunnel-group-lock with RADIUS and, in fact, we are already using tunnel-group-lock (attribute 85).
Using tunnel-group-lock works in the sense that you have three RADIUS policies and three AD security groups (one per tunnel group configured on the ASA). Each AD group basically is designed to map to a specific tunnel group. Each RADIUS policy
contains vendor-specific attribute 85 with the name of the tunnel group. So when you connect and attempt authentication through NPAS, it goes down the RADIUS policies until the conditions match (in this case the conditions are the source RADIUS client
- the ASA - and membership in a particular AD security group), it determines if your authentication attempt is successful, and if so it sends the tunnel group name back to the ASA. If the tunnel group name matches the one associated to the user group
you selected from the list in the AnyConnect client, a VPN tunnel is established. Otherwise, the ASA rejects the connection attempt.
Frankly, tunnel-group-lock works fine so long as it is only necessary for a given individual to need to connect to only a single tunnel group. If there is a need for an individual to be able to use two out of the three or all three tunnel groups in
order to gain different access, using tunnel-group-lock or group-lock won't work. This is because the behavior will be when the RADIUS server processes the policies, the first one in the list that has the AD security group that the user is a member of
will be matched and the tunnel group name associated with that policy will be sent back to the ASA every time. If that name doesn't match the one they picked, the tunnel will not be established. This will happen every time if the tunnel group is
associated with the second or third AD group they are a member of in terms of order in the NPAS policy list.
Group-lock (attribute 25) works similarly. In such a case, the result won't be a failure to connect if the user group chosen is associated with the second or third AD group in the policy list; rather, it will just always send the ASA the first group
name and the ASA will establish the session but always apply the same policy to the client rather than the desired one.
We upgraded to firmware 8.4.5 on our ASA 5520 specifically so that we could make use of attribute 146 (tunnel-group-name). Since this is an upstream attribute sent by the ASA to the RADIUS server (rather than something send by the RADIUS server
to the ASA as part of the authentication response), we were hoping to be able to use it as an additional condition in the NPAS policies. In this way, people could be members of more than one of the AD security groups related to VPN at a time. The
problem is, I just do not know how to leverage it in the NPAS policy conditions or if it is even possible. -
IDSM on catalyst 6500 to provide IOS Inline mode support
I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan??? Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
Any urgent reply will be much grateful...
Many Thanks in advanceHi Mubin,
If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment. All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN. Assuming you have something like this to start:
VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
To do this you'll need to perform the following steps:
1. Designate a new VLAN to use as a helper VLAN for your current server VLAN. I'll use 201 for this example and assume your current server VLAN is 200.
Create the helper VLAN on the switch:
switch# conf t
switch(config)# vlan 201
2. Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
sensor# conf t
sensor(config)# service interface
sensor(config-int)# phsyical-interface GigabitEthernet0/7
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 200
sensor(config-int-phy-inl-sub)# vlan2 201
sensor(config-int-phy-inl-sub)# description Server-Helper pair
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:
3. Configure the switch to trunk the helper and server VLANs to the IDSM-2 module. I assume the module is in slot 5 in the example. Replace the 5 with the correct slot for your deployment:
switch# conf t
switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
switch(config)# intrusion-detection module 5 data-port 1 autostate include
*Warning! This next step may cause an outage if everything is configured correctly. You'll probably want to schedule a window to do this.*
4. Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created. To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201. I assume the current server gateway is 192.168.1.1/24
switch# conf t
switch(config)#int vlan 200
switch(config-int)#no ip addr
switch(config-int)#int vlan 201
switch(config-int)#ip addr 192.168.1.1 255.255.255.0
switch(config-int)#exit
switch(config)#exit
switch# wr mem
Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected. Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
Best Regards,
Justin -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Swap Cisco ASA SSM-10 from dead firewall
Good afternoon,
I currenty have 2 cisco 5510 firewalls one of the firewals is completly dead but contains a Cisco ASA SSM-10 can i remove this card and just place it into a working unit, will i have any problems doing so.
Regards
PaulNo, that shouldn't be a problem at all as the serial number of the SSM-10 module does not get linked to the actual ASA appliance.
-
CISCO ASA 5505 bandwidth Controll and split
Dear All,
Below am giving the infrastructure which i like to do please help me.
I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.
Thanks
Lalu R.SThere's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
You can do some crude controls with QoS - the configuration guide chapter on doing that is here. -
Hello !
I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
What u guys recommand !
ThanksHi Neji,
Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
Block URLs using Regular Experessions (Regex)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
CSC module:
http://www.cisco.com/en/US/products/ps6823/index.html
How to enable the CSC module:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
ASA CX module (ASA 5512,5525,5545,5545,5555)
http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
Scansafe:
http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
Configuration Cisco Cloud Web Security
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
Ironport:
http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
How to integrate the ASA with Ironport (WCCP):
https://supportforums.cisco.com/docs/DOC-12623
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html -
Hi,
I am little confused with different models of Cisco ASA Firewalls. I am trying to understand the real benefit of ASA Next-GEN ASA Firewalls. I understand the next-gen has visibility up to layer 7 but:
- with CX the previous gen of ASA Firewall had same or similar capability?
- Is CX removed from Next-Gen FW?
- Is AVC something apart from CX and new featue in the Next-Gen FW?
- What is the real advantage of upgrading to next-gen FW from older gen ASA Firewalls?
ThanksNext Generation Firewall (NGFW) is partly a marketing term. Wikipedia has a definition (as does Gartner and a host of others). Typically it's understood to mean something more than a simple stateful firewall that only looks at packets up to the TCP session level.
Cisco ASA has had add-on features for years like IPS modules and the ability to use Identities in access-lists that could arguably called NGFW. More recently they had the CX module (now Approaching End of Sales). It had several NGFW features including AVC, Web Security Essentials (WSE) and IPS.
The current product lineup include the FirePOWER modules with technology acquired from Sourcefire being developed and integrated into the Cisco security portfolio, including ASAs. Those also have AVC (basically the ability to look deep into a flow and determine application-specific (or even "microapplication") information. You leverage that with the addition of IPS, Web filtering and/or Advanced Malware Protection (AMP) licenses on the FirePOWER modules.
The advantage is that you are able to protect your enterprise from modern-day threats. With the vast majority of malware being exploits from web pages (or at least carried over http/https), the traditional firewall with a rule allowing, say, only http from inside clients does nothing to protect against those threats. Client side anti-malware software can help, but it may be too late once the malware has been identified. -
Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices
Hello
I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
So I am stuck...
What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
I was hoping Azure's VPN solution would be very flexible.
ThanksHello RTF_Admin,
1. Which is the Series of CISCO ASA device you are using?
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
I hope that this information is helpful
Thanks,
Syed Irfan Hussain -
CISCO ASA 5505 VPN problem in Windows 7
I am using CISCO ASA 5505. Client PC with Windows XP can use IE to make the VPN connection normally.
However, client PC with Windows 7 cannot use IE to make the VPN connection.
It just show the error of "Internet Explorer cannot display the webpage"
Would you please help?
Thank you very much!Hi Timothy,
Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
Let me know if this helps.
Thanks,
Vishnu Sharma -
Unable to find out asdm image file cisco asa
Hello,
i am using cisco asa in gns 3 simulator ,unable find out the ASDM image or .bin file in
ASA flash .If not how can i
Uploade the ASDM image onto the ASA flash.
Please help me outFollow this:
http://www.xerunetworks.com/2012/03/asa-84-asdm-on-gns3-step-by-step-guide/
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
Maybe you are looking for
-
"Bad Applet class name" error while recording on Oracle Forms 11g through OpenScript (JRE 1.7.0_17)
Hi, I am trying to record automation functional test script on Oracle Forms 11g using OpenScript. Able to open the browser, but after accessing application URL, getting application error as "Bad Applet class name" Java Plug-in 10.17.2.02 Using JRE ve
-
Why still Diginotar certificate exist on v.7 of FF?
<blockquote>Locking duplicate thread.<br> Please continue here: [[/questions/883551]]</blockquote> After Diginotar hacked by a person Mozilla said that we should delete Diginotar root CA certificate in v.6 but in v.7 it still exist. why?
-
R/3 Source system under node BW???
Hello, in BW7.0 I connected a R/3 system. After successful connection the R/3 system is listed under BI (and not as expected unter SAP). Any idea?
-
External hard drive works, but not with a docking station
hello, I'm finding it difficult to use my docking station with my WD Cavier Green 2TB hard drive. I know that the hard drive is in perfect working order as it still works with my many different leads and cables i have. But when i plug it in to my doc
-
How to display a window in clicking a button in abap web dynpro(popup wind)
Hi i am using a button 'click' in view1 , if i click the button then a new window should be popup.