Firewalls

Similar Messages

• Why do my firewalls only use the domain username and password for login and enable passwords, not a different enable password like my switches do? The RADIUS config looks the same...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Issue:
  Cisco firewalls require only one level of password i.e. the domain username and password are used for both logging in as well as reaching global configuration mode.
  Background:
  We have multiple Cisco network devices set up which authenticate to our Windows domain controller using NPS (Windows 2008 R2). The switches we have set up all function exactly as we would hope as they require your domain username and password to login to the device. They then require a separate password when you use the enable command, this is stored in Active Directory:
  Switches:
  Username:domain-username
  Password:domain-password
  SWITCH>enable
  Password:enable-password-in-Active-Directory
  SWITCH#
  Firewalls (as they currently are):
  Username:domain-username
  Password:domain-password
  FIREWALL>enable
  Password:domain-password
  FIREWALL #
  With the firewalls however, they require your domain username and password first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the switches currently use instead of the domain password again. The current configuration look like the following:
  Current switch configuration:
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default group radius enable
  aaa authorization exec default group radius local
  aaa session-id common
  radius-server host 192.168.0.1 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key 7 1234abcd
  Current firewall configuration:
  aaa-server DC01 protocol radius
  aaa-server DC01 (outside) host 192.168.0.1
  aaa authentication ssh console DC01 LOCAL
  aaa authentication enable console DC01 LOCAL
  key 1234abcd
  Any help would be great, thanks!

  Cisco ASA works that way by design. You could remove "aaa authentication enable" and then you could use the "enable password" command to set your enable password.
  But if you do that, then ASA would change your username to "enable_15". That would break Authorization and Accounting if you're using them. Let me clarify with an example
  Firewalls :
  Username:domain-username
  Password:domain-password
  FIREWALL>show curpriv
  Username : domain-username
  Current privilege level : 1
  Current Mode/s : P_UNPR
  FIREWALL>enable
  Password:enable-password-from-running-config
  FIREWALL #show curpriv
  Username : enable_15
  Current privilege level : 15
  Current Mode/s : P_PRIV
  If you're using Authorization and Accounting it's recommended to stick with your current behavior.

• Itunes fails to recognize my phone and wants me to load as 'new phone' each time I hook up. I have disabled firewalls and it will recognize one out of five times. It also attempts to sync but just runs forever,  then gives error message 0xE8004006

  Itunes does not recognize Iphone. It asks me to restore or add as new phone each time I sign on. It then attempts to sync, just runs forever. After five tries, it allowed me to upgrade OS, but still refused to complete a sync. I have disabled firewalls. Error message 0xE8004006
  Thanks

  https://discussions.apple.com/thread/2482232?start=0&tstart=0

• ASA Failover when Firewalls are at different sites - help

  I am implementing a solution for a customer whereby they have two Cisco ASA 5520X firewalls. They wish for the firewalls to be in an Active-Standby state.
  This not only means that if one firewall dies, the other will take over. It also means that any configuration changes made on the primary are copied to the backup.
  The only catch is, both firewalls are at different sites. There is no layer 2 WAN link running between the sites. They are seperated by both the internet cloud on one side and their internal company MPLS cloud on the other.
  The diagram, that I have taken from my GNS3 simulation and modified slightly, shows the setup. All of the IP addresses (and AS numbers) are made up. Any reflection on real world IPs is unintentional and just a coincidence.
  The diagram is probably too overcrowded with IP information than is needed in this question - but the basic idea is the following:
  1. Under normal conditions traffic will flow to the internet from the remote MPLS site and leave via the firewall (PAT) at site1 - however note the public range of 23.23.23.0/24 is configured at both Site-1 and Site-2 - so at the moment the internet cloud is prefering Site-1 to reach that range.
  2. If the internet link fron INT-PRI at Site-1 fails, remote MPLS traffic destined for the internet will be forwarded out to the internet at Site-2.
  3. If the two MPLS links to Site-1 fail, INT-PRI will stop advertising the public range to the internet PE routers and traffic from the remote MPLS router destined for the internet will go out via Site-2.
  I have the tracking and dynamic routing failover setup between the sites all configured and worked out (I can provide the details of how INT-PRI tracks a sponge address in the MPLS cloud to determine whether or not it advertises the public range to the internet etc etc if you want, but on this question I want to focus on the firewalls).
  Currently the customer has resigned to having to do manual copying between the firewalls every time a change is made (i.e. there is no dynamic failover configured and the Site-2 firewall is just a clone that is kept up to date by their change management team).
  Is there a smart way to set up an Active-Standby configuration between these distant sites? Or at the very least dynamically copy the configuraiton to the backup everytime a change is made? My first though would be some kind of EEM or TCL script but I'm not that experienced with either. Alternatively, if there is smart was to get the two firewalls talking over Layer 2 it might be a better way forward.
  Thanks in advance. Apologies for this question being too wordy.

  You could used Ethernet over MPLS (EoMPLS) or Virtual Private Lan Services (VPLS), though if I remember correctly this is limited to certain platforms and IOS versions.
  Here is a design guide you could have a read through on the options
  http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html#wp9000079
  EoMPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/config_guide/eompls.html
  VPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/configuration/guide/cpt95_configuration/cpt95_configuration_chapter_011000.html
  Please remember to rate and select a correct answer

• 3.6.14 cannot open ANY URL. Disabled all Firewalls. How can I get 3.6.13 download???????

  3.6.14 Firefox is BROKEN. Running MacOS 10.4.11. Updated this afternoon and after restart, I could not get Firefox to access ANY URL OR WEBSITE. I disabled and removed all the firewalls I know about and still get NO ACCESS to any web site.
  I WANT TO GET VERSION 3.6.13 back again since it worked this morning!!!!!!! How do I download 3.6.13??????????
  I've wasted too much time trying to get around this PROBLEM!!!!

  Uninstall SIMBL as follows. Back up all data before making any changes.
  Triple-click anywhere in the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
  /Library
  In the Finder, select
  Go ▹ Go to Folder...
  from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. From that folder, delete the items listed below (some may be absent.) You may be prompted for your administrator login password.
  Application Support/SIMBL
  InputManagers/SIMBL
  LaunchAgents/net.culater.SIMBL.Agent.plist
  ScriptingAdditions/SIMBL.osax
  Log out and log back in.
  Make sure you never reinstall SIMBL. It’s likely to come bundled with another third-party system modfication that depends on it. If you want trouble-free computing, avoid software that makes miraculous changes to other software, especially built-in applications. The only real exception to that rule is Safari extensions, which are mostly safe, and are easy to get rid of when they don’t work. SIMBL and its dependents are not Safari extensions.

• DirectAccess 2012 - Best way to deploy between two firewalls (NAT'd)

  We are deploying DirectAccess 2012 and have a requirement that traffic from the internet (red) must be proxied through the DMZ (yellow) before touching anything on the internal network (green). I will initially only be configuring it to use IP-HTTPS (no
  teredo). We have two firewalls, one on the perimeter (FW1), and one between the DMZ and internal networks (FW2).
  I'm trying to determine the best way of deploying this in our environment. I've come up with two possibilities:
  1. Deploy with two network cards, each connected to separate DMZs. In this scenario, NIC 1 would contain the internet facing IP in DMZ 1 (say 10.10.10.2 and NAT'd by FW1), and NIC2 would contain an internal facing IP on DMZ2 (say 10.10.11.2). NIC2 would
  be routable to the internal subnets via the internal firewall.
  Crude diagram:    Internet -> FW1 -> 10.10.10.2---DA---10.10.11.2 -> FW2 -> Internal network
  2. Deploy with one network card in the DMZ. This would be NAT'd by FW1, and then pass traffic through to to FW2. Since I'd be allowing all TCP/UDP traffic (as per MS) through FW2 to the primary network, this method seems unsafe to me.
  Crude diagram:   Internet -> FW1 -> 10.10.10.2---DA -> FW2 -> Internal network
  What is the best and most secure way to deploy this in the DMZ? I do not want to put an internal network IP directly on the DirectAccess server, as it needs to go through FW2 before reaching internal. The DA server should be isolated in the DMZ.
  Advice is appreciated.

  Hi,
  The first solution is better. The DA server is under the protection of FW1, and the DA server
  already offers certain security itself, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on.
  Here is a related threads,
  DirectAccess 2012 + Security concerns
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2e394a72-d263-449f-9ec2-02701aa8cb96/directaccess-2012-security-concerns?forum=winserver8gen
  Hope this helps.
  Steven Lee
  TechNet Community Support

• What is the best design to connect redundant Firewalls to redundant switches?

  Hi All,
  I would like to know the best possible design to connect redundant Firewalls(Netscreen,FortiGate etc) to redundant switches.I have dealt with Cisco FWSM's in which both the Firewall and switch is in the same chassis. So for the Vlan's behind the Firewall, we just create the L3 interface on the fwsm and do a static route in the switch. The Gateway IP will be tied to the primary fwsm and the failover happens through the network. But now i need to know the best possible design when i am connecting to a different vendor firewall.
  Let's say i have 5 vlans and all these vlan's are behind the Firewall. The redundant switches will have the L2 vlan's created and have a static route to the Firewall. I am proposing the attached design in which i will have L2 vlan's created on the switch and L3 on the Firewall. The Firewall's and the switch will be connected with one trunk port and an access port for uplink and downlink traffic. The two switches will be connected each other using a vlan trunk.The two firewalls will be connected using a redundancy vlan.
  I am not so sure about the working of other firewalls such as Netscreen and FortiGate. I am also confused with the traffic path that the frames will take by having this design.Please advice if you have any suggestions.
  Appreciate your help and advice.
  regards
  dathan

  subhash007 wrote:It's not 802.3ad link aggreagated interface. In the switch side, the ports will be configured as normal access ports and the bonding config will be done on the server side.
  To be honest, I don't understand how the Linux bonding mode can work without anything configured the other end.
  My understanding of 'bonding' comes from Multilink PPP (MLP) where the data stream is chopped up and split across two (or more) circuits. At the other end, a similar MLP-enabled device reforms the data stream from the multiple circuits, maintaining packet order. But this requires MLP-enabled 'bonding' devices at each end.
  Perhaps you could help me better understand the Linux bonding...
  subhash007 wrote:If any single homed server is connected to Switch 2, what will be traffic path for its data packets?Switch 2 ------------------> Switch 1 ----------------------> Active firewall                                   ORSwitch 2 ------------------> Passive Firewall -----------> Active Firewall
  If the firewalls operate in the same fashion as Cisco ASAs, then the inter-firewall link doesn't carry traffic. It's for failover detection and HTTP replication only. But like I said, I'm not familiar with this vendor's products.
  subhash007 wrote:Also will there be any change in traffic path if the trunk between Switch 1 & Switch 2 is converted to L3 routed interface? Since there is no VRRP, i can convert the trunk to L3 right?
  Same as above.

• DTU Access Through Firewalls - Help Please

  Hi Everyone,
  I'm trying to connect some DTUs between two customer sites where they have 2 FOGs configured. I hope to use AMGH eventually but at the moment I'm just testing connectivity between the sites. I'm told that the firewalls between the sites are permitting all incoming TCP and UDP traffic to each site.
  To test this I have been ssh'ing from site A to site B's SR servers and can also get to the web interface of both SR servers at site B from site A. I realise this doesn't really test the UDP side of things.
  So here's the problem: The DTU at site A has the GUI firmware on and I've configured it to look for the primary SR server at site B. When I switch the DTU on it correctly obtains an IP address from DHCP at site A and then proceeds to try and talk to the SR server at site B. It seems to do this correctly and the SRSS web interface at site B shows a pseudo session has been created, however, the DTU at site A sits with the OSD 26B error (waiting for x session I believe).
  Apart from the firewalls being incorrectly configured is there anything else I need to do do on the SR Servers to permit the DTUs getting x sessions?
  Many thanks.
  Chris
  Edited by: mac_chris on Dec 30, 2009 9:08 AM

  UPDATE:
  Following some interesting conversations with the third party looking after the network it looks like this was a firewall configuration issue. It was indeed the case that no UDP traffic was able to get from site B to site A which is why the DTUs at site A pointing at site B weren't showing a session.
  DTUs at site A can now get sessions from site B so all is well.
  Edited by: mac_chris on Jan 7, 2010 2:40 AM

• Why does a standalone program created in Labview 8.5 try connecting to the internet when the program only reads data through the serial port? Firewalls object to progams that contact the internet without permission.

  why does a standalone program created in Labview 8.5 try connecting to the internet when the program only reads data through the serial port? Firewalls object to progams that contact the internet without permission.
  The created program is not performing a command I have written when it tries to connect to the internet, it must be Labview that is doing it. How do I stop this from happening? 
  Any help would be very appreciated.

  It looks that way..
  "When LabVIEW starts it contacts the service
  locator to removes all services for itself. This request is triggering
  the firewall.This is done in case there were services that were not
  unregistered the last time LabVIEW executed- for example from VIs that
  didn't clean up after themselves"
  This is not yet fixed in LV2009.
  Message Edited by Ray.R on 11-04-2009 12:25 PM

• New Qos and Firewalls URL Options for gamers for Win10

  This is more of a gamer thing.
  I'm wondering if there's a way to implement URLs ( instead of IPs ) with ports into Firewalls and QoS? Naturally I don't want to open ports for all IPs and determining all IPs for some sites, when there exist are multiple worlds, can't always be determined.
  It would be nice to say, for all *.SomeGame.com allow this port to be open.
  Additionally, if this rule is active, give it higher priority than video or voice....
  I have seen some gamer systems where their router and firewall have an open port for their games :\ Also, usually most gamers will have Skype/Twitch/Netflix/Hulu open whilst gaming. Naturally, they don't want lag for their games, and would prefer their gaming
  to have priority over any voice or video.

  You do not need to setup anything like that in any windows for gaming application...even if I running torrent + dc++ client I have no lags or freezes so on. So if you want to setup QoS just find appropriate guide for specific application. And
  btw URL's doesn't match game server IP's & port's ranges, so it is never been released under QoS development. Cause QoS is about how to manage your existing LAN bandwidth for applications on your OS installation.

• Special characters in the shared key when importing firewalls

  Hello
  We are using CWVMS to import and configure PIX firewalls.
  The shared isakmp key of one of the firewalls has not been accepted during import because it contains special characters.
  The problem is that the customer does not have authority to change the key.
  Does Management Center for Firewalls really accept only alphanumeric isakmp keys ? Is there another alternative to changing the key ?
  Thank you sincerely for your help.

  I am not sure what your problem is. But ISAKMP keys can be changed directly on the PIX using the command line interface. I have not used any special character in the ISAKMP keys. Can anyone confirm that special characters can be used within ISAKMP keys?

• SNMP does not work on the standby ASA firewalls

  Hello Everyone,
  I have a pair of 5 pairs of active/standby ASA firewalls running 8.4.4(1)
  All the active firewall respond to the SNMP requests, but the standby firewalls do not. I'm using SNMP v3. The configuration of primary and secondary firewalls is replica of each other, apart from the ip addressess.
  I want the secondary firewall to respond to SNMP requests coming in from the monitoring server. Can someone please help ?
  Thanks,
  Rishi

  Assuming you can ping both firewalls, the problem is that the firewall pair shares the same config and therefore, the same SNMPv3 engineID. Some NMSs (e.g. WhatsUp Gold) do not support this and therefore only 1 firewall in the pair can be queried.
  Doesn't look like this has been fixed yet:
  Bug info: CSCtl88556 - ASA5520 failover pair has duplicate snmp v3 engine id

• How do I temporarily disable web filtering software? I'm getting a message: The problems you are experiencing are most likely the result of Web filtering software, firewalls, popup blockers or ad blocking software.

  I keep getting this message when trying to navigate in myverizon:
  The problems you are experiencing are most likely the result of Web filtering software, firewalls, popup blockers or ad blocking software.
  You may resolve this issue by visiting your browser's website and searching for instructions on temporarily disabling Web filtering software, firewalls, popup blockers, and/or ad blocking software. You may also use another computer.

  Which problems are you experiencing if you visit that website?
  Clear the cache and the cookies from sites that cause problems.
  "Clear the Cache":
  * Firefox > Preferences > Advanced > Network > Offline Storage (Cache): "Clear Now"
  "Remove Cookies" from sites causing problems:
  * Firefox > Preferences > Privacy > Cookies: "Show Cookies"

• ISE and firewalls

  I have a Primary ISE node  (primary admin/monitoring/policy) sitting in network 192.168.1.0/24 and the Secondary ISE node (secondary admin/monitoring/policy) sitting in network 192.168.2.0/24.  There is a firewall sitting between these two networks.
  What TCP and UDP ports do I need to open on the firewalls so that these two nodes can communicate and sync with each other?  I AM ONLY INTERESTED IN THE TRAFFICS BETWEEN THESE TWO NODES and not other traffics to else where.
  I've read through the documentation and it seems that I only need a couple of tcp and udp ports for this.
  Any comments?
  Thank you  in advance.
  david

  David,
  AFAIU minimum of TCP/443 and TCP/1521  (and ICMP for hearbeat).
  http://www.cisco.com/en/US/partner/docs/security/ise/1.1/installation_guide/ise_app_e-ports.html
  M.

• Load balancing of PIX firewalls with multiple DMZs

  I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
  In all the documentation related to the subject, I see always the firewalls with only two interfaces:
  http://www.cisco.com/warp/customer/117/fw_load_balancing.html
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
  What if I need to balance on more than 2 interfaces?
  Do I have to add more content switches, one for each interface ?
  Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
  Thank you in advance for any help.

  We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
  Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

• ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect

  We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
  Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
  When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
  Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
  Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
  An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
  Any help to qwell my frustration on this topic would be appreciated.
  Thanks,
  -Scott

  Scott,
  If disabling the inspection of the skinny protocol is not feasible, the following
  configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
  In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
  #Define what traffic you want inspected:
  access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
  access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
  access-list skinny_acl extended permit tcp any any eq 2000
  #Create a class map to match the acl
  class-map skinny_map
  match access-list skinny_acl
  #Under the global policy, take the skinny inspection out of the
  #class inspection_default, and add it under our new class
  policy-map global_policy
  class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  class skinny_map
  inspect skinny
  service-policy global_policy global
  ###Will be inspected for skinny###
  FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
  Global policy:
  Service-policy: global_policy
  Class-map: skinny_map
  Match: access-list skinny_acl
  Access rule: permit tcp any any eq 2000
  Action:
  Input flow: inspect skinny
  FWSM(config-pmap-c)#
  ###Will not be inspected for skinny###
  FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
  Global policy:
  Service-policy: global_policy
  FWSM(config-pmap-c)#
  Regards,
  ~JG
  Please rate if helps !