Firewalls
I'm stumped. We're using Oracle 8 on NT, and just installed a firewall for the university. My remote users get the ORA 12203 error, and I have started CMAN and Listener on the server, and added the SOURCE_ROUTE = YES to the TNSNAMES file. However, after the initial handshake, the server and client just communicate on any port they want, not on 1521 and 1526 like I told them to. Any solutions?
Thanks,
Richard
Hi Carl.
Its been a while since I messed around with ACL's, however, I believe you need to enter the "established" command after the ACL rule, so any connections that go out will be allowed back in if they are already established.
EG: (Grabbed from http://www.networkclue.com/routing/Cisco/access-lists/index.aspx)
Assumptions:
internal network: 63.36.9.0
access-list 101 - Applied to traffic leaving the office (outgoing)
access-list 102 - Applied to traffic entering the office (incoming)
ACL 101
access-list 101 permit tcp 63.36.9.0 0.0.0.255 any eq 80
ACL 102
access-list 102 permit tcp any 63.36.9.0 0.0.0.255 established
Hope this helps.
Michael.
Similar Messages
-
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Issue:
Cisco firewalls require only one level of password i.e. the domain username and password are used for both logging in as well as reaching global configuration mode.
Background:
We have multiple Cisco network devices set up which authenticate to our Windows domain controller using NPS (Windows 2008 R2). The switches we have set up all function exactly as we would hope as they require your domain username and password to login to the device. They then require a separate password when you use the enable command, this is stored in Active Directory:
Switches:
Username:domain-username
Password:domain-password
SWITCH>enable
Password:enable-password-in-Active-Directory
SWITCH#
Firewalls (as they currently are):
Username:domain-username
Password:domain-password
FIREWALL>enable
Password:domain-password
FIREWALL #
With the firewalls however, they require your domain username and password first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the switches currently use instead of the domain password again. The current configuration look like the following:
Current switch configuration:
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
aaa session-id common
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 1234abcd
Current firewall configuration:
aaa-server DC01 protocol radius
aaa-server DC01 (outside) host 192.168.0.1
aaa authentication ssh console DC01 LOCAL
aaa authentication enable console DC01 LOCAL
key 1234abcd
Any help would be great, thanks!Cisco ASA works that way by design. You could remove "aaa authentication enable" and then you could use the "enable password" command to set your enable password.
But if you do that, then ASA would change your username to "enable_15". That would break Authorization and Accounting if you're using them. Let me clarify with an example
Firewalls :
Username:domain-username
Password:domain-password
FIREWALL>show curpriv
Username : domain-username
Current privilege level : 1
Current Mode/s : P_UNPR
FIREWALL>enable
Password:enable-password-from-running-config
FIREWALL #show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
If you're using Authorization and Accounting it's recommended to stick with your current behavior. -
Itunes does not recognize Iphone. It asks me to restore or add as new phone each time I sign on. It then attempts to sync, just runs forever. After five tries, it allowed me to upgrade OS, but still refused to complete a sync. I have disabled firewalls. Error message 0xE8004006
Thankshttps://discussions.apple.com/thread/2482232?start=0&tstart=0
-
ASA Failover when Firewalls are at different sites - help
I am implementing a solution for a customer whereby they have two Cisco ASA 5520X firewalls. They wish for the firewalls to be in an Active-Standby state.
This not only means that if one firewall dies, the other will take over. It also means that any configuration changes made on the primary are copied to the backup.
The only catch is, both firewalls are at different sites. There is no layer 2 WAN link running between the sites. They are seperated by both the internet cloud on one side and their internal company MPLS cloud on the other.
The diagram, that I have taken from my GNS3 simulation and modified slightly, shows the setup. All of the IP addresses (and AS numbers) are made up. Any reflection on real world IPs is unintentional and just a coincidence.
The diagram is probably too overcrowded with IP information than is needed in this question - but the basic idea is the following:
1. Under normal conditions traffic will flow to the internet from the remote MPLS site and leave via the firewall (PAT) at site1 - however note the public range of 23.23.23.0/24 is configured at both Site-1 and Site-2 - so at the moment the internet cloud is prefering Site-1 to reach that range.
2. If the internet link fron INT-PRI at Site-1 fails, remote MPLS traffic destined for the internet will be forwarded out to the internet at Site-2.
3. If the two MPLS links to Site-1 fail, INT-PRI will stop advertising the public range to the internet PE routers and traffic from the remote MPLS router destined for the internet will go out via Site-2.
I have the tracking and dynamic routing failover setup between the sites all configured and worked out (I can provide the details of how INT-PRI tracks a sponge address in the MPLS cloud to determine whether or not it advertises the public range to the internet etc etc if you want, but on this question I want to focus on the firewalls).
Currently the customer has resigned to having to do manual copying between the firewalls every time a change is made (i.e. there is no dynamic failover configured and the Site-2 firewall is just a clone that is kept up to date by their change management team).
Is there a smart way to set up an Active-Standby configuration between these distant sites? Or at the very least dynamically copy the configuraiton to the backup everytime a change is made? My first though would be some kind of EEM or TCL script but I'm not that experienced with either. Alternatively, if there is smart was to get the two firewalls talking over Layer 2 it might be a better way forward.
Thanks in advance. Apologies for this question being too wordy.You could used Ethernet over MPLS (EoMPLS) or Virtual Private Lan Services (VPLS), though if I remember correctly this is limited to certain platforms and IOS versions.
Here is a design guide you could have a read through on the options
http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html#wp9000079
EoMPLS configuration guide:
http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/config_guide/eompls.html
VPLS configuration guide:
http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/configuration/guide/cpt95_configuration/cpt95_configuration_chapter_011000.html
Please remember to rate and select a correct answer -
3.6.14 Firefox is BROKEN. Running MacOS 10.4.11. Updated this afternoon and after restart, I could not get Firefox to access ANY URL OR WEBSITE. I disabled and removed all the firewalls I know about and still get NO ACCESS to any web site.
I WANT TO GET VERSION 3.6.13 back again since it worked this morning!!!!!!! How do I download 3.6.13??????????
I've wasted too much time trying to get around this PROBLEM!!!!Uninstall SIMBL as follows. Back up all data before making any changes.
Triple-click anywhere in the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library
In the Finder, select
Go ▹ Go to Folder...
from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. From that folder, delete the items listed below (some may be absent.) You may be prompted for your administrator login password.
Application Support/SIMBL
InputManagers/SIMBL
LaunchAgents/net.culater.SIMBL.Agent.plist
ScriptingAdditions/SIMBL.osax
Log out and log back in.
Make sure you never reinstall SIMBL. It’s likely to come bundled with another third-party system modfication that depends on it. If you want trouble-free computing, avoid software that makes miraculous changes to other software, especially built-in applications. The only real exception to that rule is Safari extensions, which are mostly safe, and are easy to get rid of when they don’t work. SIMBL and its dependents are not Safari extensions. -
DirectAccess 2012 - Best way to deploy between two firewalls (NAT'd)
We are deploying DirectAccess 2012 and have a requirement that traffic from the internet (red) must be proxied through the DMZ (yellow) before touching anything on the internal network (green). I will initially only be configuring it to use IP-HTTPS (no
teredo). We have two firewalls, one on the perimeter (FW1), and one between the DMZ and internal networks (FW2).
I'm trying to determine the best way of deploying this in our environment. I've come up with two possibilities:
1. Deploy with two network cards, each connected to separate DMZs. In this scenario, NIC 1 would contain the internet facing IP in DMZ 1 (say 10.10.10.2 and NAT'd by FW1), and NIC2 would contain an internal facing IP on DMZ2 (say 10.10.11.2). NIC2 would
be routable to the internal subnets via the internal firewall.
Crude diagram: Internet -> FW1 -> 10.10.10.2---DA---10.10.11.2 -> FW2 -> Internal network
2. Deploy with one network card in the DMZ. This would be NAT'd by FW1, and then pass traffic through to to FW2. Since I'd be allowing all TCP/UDP traffic (as per MS) through FW2 to the primary network, this method seems unsafe to me.
Crude diagram: Internet -> FW1 -> 10.10.10.2---DA -> FW2 -> Internal network
What is the best and most secure way to deploy this in the DMZ? I do not want to put an internal network IP directly on the DirectAccess server, as it needs to go through FW2 before reaching internal. The DA server should be isolated in the DMZ.
Advice is appreciated.Hi,
The first solution is better. The DA server is under the protection of FW1, and the DA server
already offers certain security itself, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on.
Here is a related threads,
DirectAccess 2012 + Security concerns
http://social.technet.microsoft.com/Forums/windowsserver/en-US/2e394a72-d263-449f-9ec2-02701aa8cb96/directaccess-2012-security-concerns?forum=winserver8gen
Hope this helps.
Steven Lee
TechNet Community Support -
What is the best design to connect redundant Firewalls to redundant switches?
Hi All,
I would like to know the best possible design to connect redundant Firewalls(Netscreen,FortiGate etc) to redundant switches.I have dealt with Cisco FWSM's in which both the Firewall and switch is in the same chassis. So for the Vlan's behind the Firewall, we just create the L3 interface on the fwsm and do a static route in the switch. The Gateway IP will be tied to the primary fwsm and the failover happens through the network. But now i need to know the best possible design when i am connecting to a different vendor firewall.
Let's say i have 5 vlans and all these vlan's are behind the Firewall. The redundant switches will have the L2 vlan's created and have a static route to the Firewall. I am proposing the attached design in which i will have L2 vlan's created on the switch and L3 on the Firewall. The Firewall's and the switch will be connected with one trunk port and an access port for uplink and downlink traffic. The two switches will be connected each other using a vlan trunk.The two firewalls will be connected using a redundancy vlan.
I am not so sure about the working of other firewalls such as Netscreen and FortiGate. I am also confused with the traffic path that the frames will take by having this design.Please advice if you have any suggestions.
Appreciate your help and advice.
regards
dathansubhash007 wrote:It's not 802.3ad link aggreagated interface. In the switch side, the ports will be configured as normal access ports and the bonding config will be done on the server side.
To be honest, I don't understand how the Linux bonding mode can work without anything configured the other end.
My understanding of 'bonding' comes from Multilink PPP (MLP) where the data stream is chopped up and split across two (or more) circuits. At the other end, a similar MLP-enabled device reforms the data stream from the multiple circuits, maintaining packet order. But this requires MLP-enabled 'bonding' devices at each end.
Perhaps you could help me better understand the Linux bonding...
subhash007 wrote:If any single homed server is connected to Switch 2, what will be traffic path for its data packets?Switch 2 ------------------> Switch 1 ----------------------> Active firewall ORSwitch 2 ------------------> Passive Firewall -----------> Active Firewall
If the firewalls operate in the same fashion as Cisco ASAs, then the inter-firewall link doesn't carry traffic. It's for failover detection and HTTP replication only. But like I said, I'm not familiar with this vendor's products.
subhash007 wrote:Also will there be any change in traffic path if the trunk between Switch 1 & Switch 2 is converted to L3 routed interface? Since there is no VRRP, i can convert the trunk to L3 right?
Same as above. -
DTU Access Through Firewalls - Help Please
Hi Everyone,
I'm trying to connect some DTUs between two customer sites where they have 2 FOGs configured. I hope to use AMGH eventually but at the moment I'm just testing connectivity between the sites. I'm told that the firewalls between the sites are permitting all incoming TCP and UDP traffic to each site.
To test this I have been ssh'ing from site A to site B's SR servers and can also get to the web interface of both SR servers at site B from site A. I realise this doesn't really test the UDP side of things.
So here's the problem: The DTU at site A has the GUI firmware on and I've configured it to look for the primary SR server at site B. When I switch the DTU on it correctly obtains an IP address from DHCP at site A and then proceeds to try and talk to the SR server at site B. It seems to do this correctly and the SRSS web interface at site B shows a pseudo session has been created, however, the DTU at site A sits with the OSD 26B error (waiting for x session I believe).
Apart from the firewalls being incorrectly configured is there anything else I need to do do on the SR Servers to permit the DTUs getting x sessions?
Many thanks.
Chris
Edited by: mac_chris on Dec 30, 2009 9:08 AMUPDATE:
Following some interesting conversations with the third party looking after the network it looks like this was a firewall configuration issue. It was indeed the case that no UDP traffic was able to get from site B to site A which is why the DTUs at site A pointing at site B weren't showing a session.
DTUs at site A can now get sessions from site B so all is well.
Edited by: mac_chris on Jan 7, 2010 2:40 AM -
why does a standalone program created in Labview 8.5 try connecting to the internet when the program only reads data through the serial port? Firewalls object to progams that contact the internet without permission.
The created program is not performing a command I have written when it tries to connect to the internet, it must be Labview that is doing it. How do I stop this from happening?
Any help would be very appreciated.It looks that way..
"When LabVIEW starts it contacts the service
locator to removes all services for itself. This request is triggering
the firewall.This is done in case there were services that were not
unregistered the last time LabVIEW executed- for example from VIs that
didn't clean up after themselves"
This is not yet fixed in LV2009.
Message Edited by Ray.R on 11-04-2009 12:25 PM -
New Qos and Firewalls URL Options for gamers for Win10
This is more of a gamer thing.
I'm wondering if there's a way to implement URLs ( instead of IPs ) with ports into Firewalls and QoS? Naturally I don't want to open ports for all IPs and determining all IPs for some sites, when there exist are multiple worlds, can't always be determined.
It would be nice to say, for all *.SomeGame.com allow this port to be open.
Additionally, if this rule is active, give it higher priority than video or voice....
I have seen some gamer systems where their router and firewall have an open port for their games :\ Also, usually most gamers will have Skype/Twitch/Netflix/Hulu open whilst gaming. Naturally, they don't want lag for their games, and would prefer their gaming
to have priority over any voice or video.You do not need to setup anything like that in any windows for gaming application...even if I running torrent + dc++ client I have no lags or freezes so on. So if you want to setup QoS just find appropriate guide for specific application. And
btw URL's doesn't match game server IP's & port's ranges, so it is never been released under QoS development. Cause QoS is about how to manage your existing LAN bandwidth for applications on your OS installation. -
Special characters in the shared key when importing firewalls
Hello
We are using CWVMS to import and configure PIX firewalls.
The shared isakmp key of one of the firewalls has not been accepted during import because it contains special characters.
The problem is that the customer does not have authority to change the key.
Does Management Center for Firewalls really accept only alphanumeric isakmp keys ? Is there another alternative to changing the key ?
Thank you sincerely for your help.I am not sure what your problem is. But ISAKMP keys can be changed directly on the PIX using the command line interface. I have not used any special character in the ISAKMP keys. Can anyone confirm that special characters can be used within ISAKMP keys?
-
SNMP does not work on the standby ASA firewalls
Hello Everyone,
I have a pair of 5 pairs of active/standby ASA firewalls running 8.4.4(1)
All the active firewall respond to the SNMP requests, but the standby firewalls do not. I'm using SNMP v3. The configuration of primary and secondary firewalls is replica of each other, apart from the ip addressess.
I want the secondary firewall to respond to SNMP requests coming in from the monitoring server. Can someone please help ?
Thanks,
RishiAssuming you can ping both firewalls, the problem is that the firewall pair shares the same config and therefore, the same SNMPv3 engineID. Some NMSs (e.g. WhatsUp Gold) do not support this and therefore only 1 firewall in the pair can be queried.
Doesn't look like this has been fixed yet:
Bug info: CSCtl88556 - ASA5520 failover pair has duplicate snmp v3 engine id -
I keep getting this message when trying to navigate in myverizon:
The problems you are experiencing are most likely the result of Web filtering software, firewalls, popup blockers or ad blocking software.
You may resolve this issue by visiting your browser's website and searching for instructions on temporarily disabling Web filtering software, firewalls, popup blockers, and/or ad blocking software. You may also use another computer.Which problems are you experiencing if you visit that website?
Clear the cache and the cookies from sites that cause problems.
"Clear the Cache":
* Firefox > Preferences > Advanced > Network > Offline Storage (Cache): "Clear Now"
"Remove Cookies" from sites causing problems:
* Firefox > Preferences > Privacy > Cookies: "Show Cookies" -
I have a Primary ISE node (primary admin/monitoring/policy) sitting in network 192.168.1.0/24 and the Secondary ISE node (secondary admin/monitoring/policy) sitting in network 192.168.2.0/24. There is a firewall sitting between these two networks.
What TCP and UDP ports do I need to open on the firewalls so that these two nodes can communicate and sync with each other? I AM ONLY INTERESTED IN THE TRAFFICS BETWEEN THESE TWO NODES and not other traffics to else where.
I've read through the documentation and it seems that I only need a couple of tcp and udp ports for this.
Any comments?
Thank you in advance.
davidDavid,
AFAIU minimum of TCP/443 and TCP/1521 (and ICMP for hearbeat).
http://www.cisco.com/en/US/partner/docs/security/ise/1.1/installation_guide/ise_app_e-ports.html
M. -
Load balancing of PIX firewalls with multiple DMZs
I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
In all the documentation related to the subject, I see always the firewalls with only two interfaces:
http://www.cisco.com/warp/customer/117/fw_load_balancing.html
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
What if I need to balance on more than 2 interfaces?
Do I have to add more content switches, one for each interface ?
Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
Thank you in advance for any help.We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure. -
ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect
We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
Any help to qwell my frustration on this topic would be appreciated.
Thanks,
-ScottScott,
If disabling the inspection of the skinny protocol is not feasible, the following
configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
#Define what traffic you want inspected:
access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
access-list skinny_acl extended permit tcp any any eq 2000
#Create a class map to match the acl
class-map skinny_map
match access-list skinny_acl
#Under the global policy, take the skinny inspection out of the
#class inspection_default, and add it under our new class
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class skinny_map
inspect skinny
service-policy global_policy global
###Will be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
Global policy:
Service-policy: global_policy
Class-map: skinny_map
Match: access-list skinny_acl
Access rule: permit tcp any any eq 2000
Action:
Input flow: inspect skinny
FWSM(config-pmap-c)#
###Will not be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
Global policy:
Service-policy: global_policy
FWSM(config-pmap-c)#
Regards,
~JG
Please rate if helps !
Maybe you are looking for
-
When I try To Redownload 3 Songs From and Some Tv Shows From Cloud It's "This Computer Is Already Associated With Apole ID." "You Can Download Past Purchases On This Computer With Just One Apple ID every 90 Days. This Computer Can Be used With a Diff
-
The iPhone "iPhone" could not be restored. An unknown error occurred (-1).
I have been trying to update my iPhone's software for the past few weeks due to my current provider not being found. (A bar that says "Searching" is always at the top where my 3G should be.) Yet whenever I try directly from my iPhone, it always end w
-
Purchase order print program error
hi experts! am facing a problem in my purchase order print program. the problem is that when i am trying to see the print preview the following dump error is throughing, which am not able to understand. the P.O total amount should be change into word
-
Naming for Export dmp file in Date and Time
Dear All, Please advise me how to give the file name in date and time stamp for the export dmp file and it's log file.Suggest me in Oracle 9i version. for example the file name get like this 020420041155.dmp and 020420041155.log where date and time a
-
hi my issue is how an outputdetermination happens from sales to invoice, please help me out in this process