IDSM2 with FWSM with contexts
Hiya,
I'm not a Security guy so keep it simple!
If deploying a FWSM with multiple contexts, and you have an IDSM-2 installed:
Does the IDSM be split into contexts to match the FWSM contexts
If not, does it monitor the backplane traffic and it does not matter or care about the multiple contexts.
Hi .. by looking at your diagram .. I suggest to try placing the IDSM-2 so that traffic is inspected after the firewall policies have been checked otherwise you might end up inspecting traffic that will be blocked by the firewall anyway. You also need to create what is called boundary VLANs so that your IDSM bridges the traffic between the inline VLANs... Confused ..?
It gets a bit "blue" when you try inspecting inline on a module. For example lets say you have Context1 with Interfaces VLAN10 (outside) and VLAN20 (inside). You would have to create another VLAN30 (boundary VLAN). You then need to allocate the devices ONLY ( not the ASA's interface ) from VLAN20 to VLAN30 ( Only change VLAN membership and not the IP scheme ). Next on one of the IDSM-2 sensing ports you need to create a VLAN inline pair ( it uses subinterfaces ) which bridges VLAN20 <-> VLAN30. In that way traffic to/from your inside devices will travers the IDSM-2 before reaching its destination
I suggest you to create a test context, allocate the 2 VLANS, Create the VLAN inline pair on the IDSM-2 and test.. Once you are happy you can replicate the same configuration for the production contexts.
Below a brief example what you need to do for each context
sensor# configure terminal
sensor(config)# service interface
sensor(config-int)# physical-interfaces GigabitEthernet0/2
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# description INT1
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 52
sensor(config-int-phy-inl-sub)# vlan2 53
sensor(config-int-phy-inl-sub)# description pairs vlans 52 and 53
sensor(config-int-phy-inl-sub)# show settings
subinterface-number: 1
description: VLANpair1 default:
vlan1: 52
vlan2: 53
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:
I hope it helps ... please rate it if it does !!!
Similar Messages
-
Backup or redundant ISP with FWSM and security contexts...
Hello guys,
I am in a middle of a dessign problem. We have 2 ISP, and we have a FWSM running multiple contexts, my context that is receiving all the static translations for all my published servers is the one where i want to configure default gateway tracking (so it can go out to an "outside2" interface in case the primary fails) and use the second ISP link for internet access and static nat. Just the exact way the ASA works.
I am not quite sure it works with FWSM.
Thanks a lot!
emilioHello Emilio,
You cannot configure SLA monitoring on the FWSM at this moment.
Maybe in the future this great feature will be added to this modules.
I know the 6500 supports it so you can try to set it up there.
Regards,
Julio -
Problem with Failover FWSM (With Multiple Context)
Dear All,
I have 2 Catalyst 6500 with FWSM module, the catalyst and FWSM is redudant. FWSM with multiple context.
i had done with catalyst 6500, but when i try to add (Admin -> Security and Monitor Devices) module with fwsm context is always error.
i add this context in the active context.
this is the error message when i try to add fwsm on mars.
The first one;
expect: spawn id exp3 not open
while executing
"expect -nobrace {<--- More --->} {
send_user "\n"
send -- " "
exp_continue
} {assword: } {
s..."
invoked from within
"expect {
"<--- More --->" {
send_user "\n"
send -- " "
exp_continue
"assword: " {
(file "./sshpix7x.exp" line 105)
st_key
the second:
invoked from within
"expect {
"<--- More --->" {
send_user "\n"
send -- " "
exp_continue
"assword: " {
(file "./sshpix7x.exp" line 105)
st_key
and sometime:
spawn ssh -c 3des -l siem-mars 10.x.x.x
Connection timed out
For Information :
The FWSM Firewall Version 4.0(6)
and,
CSMAERS-200
Product Version : 6.0.6 ( 3368 )
Data Package Version : 35
IPS Signature Version : 454
IPS Custom Signature Version : 0
Anyone can help me please...
Thanks b4,
Best Regards,
NagaHi Teck Yong Ng,
I am not sure about your problem, but normally what happens when we install two databases on the same host is there will be conflict between the ports connecting to the database.
In your case the second system database might also have the same port number which you have for the first system.that is why i think you are facing this issue.
Try to look at the port numbers.
Regards,
Bharath Kumar.K
Message was edited by:
Bharath Kumar K -
ISDM2 with FWSM configuration example
Hi there,
We're trying to implement isdm2 as inline mode integrated with fwsm module. We have two vlans on the switch: vlan 30 is responsible to take care the outside interface of the lab context of fwsm while vlan 40 is responsible from the inside interface. How can i implement a correct configuration in order to use isdm2 to inspect traffic ? There are several documents on the net, but i'm really confused with them and no one is clear enough.
P.S: At the moment we're using isdm2 in promiscous mode with the following configuration :
intrusion-detection module 3 data-port 1 capture
intrusion-detection module 3 data-port 1 capture allowed-vlan 30
Thanks in advance.The IDSM2 is supported in inline mode, provided that the switch has a sup720 running 12.2(18)SXE (or later) or a sup32 running 12.2(18)SXF (or later).
Refer these link for configuration doc:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliidsm2.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/index.htm -
Who is anybody using a WISM with FWSM on a CAT 6500 Switch?
Hi
Who is anybody using a WISM with FWSM on CAT 6500 switch ?
Are there any problem,if use?
And How can I set them to connecting each other ?
I have founded a document relate it on the cisco website that name is Integrating Cisco WiSM and Firewall Service Module.
I have a question concern it.
Why do I have make a VRF to communication each other ?
Please let me know.As far as the FWSM is concerned you can have each of the wireless vlans come in to the same context of the FWSM and then just add those vlans to the FWSM as separate vlans.
-
Question about C6509 with FWSM IDSM
HI,
I'm configure the FWSM with IDSM, but not worked. I using the follow commands.
access-list aclips permit ip any any
class-map ips_class
match access-list aclips
policy-map ips_policy
class ips_class
ips inline fail-open
service-policy ips_policy interface outside
Any idea?
RegardsIPSec on FWSM in not supported with or without contexts.
IPSec on ASA is supported with a single mode
IPSec on ASA is not supported with a context mode -
How to configure ldap.ora with multiple ldap contexts
Hello.
My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
Some basic info: LDAP is Oracle OID version 10gR2
Please let me know if you have any useful ideas...Hi,
Here is the of OVD benefits :
1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
I hope this helps.
Thiago L Guimaraes -
Hi all,
We are stumped with a problem in our QA Enterprise Portal (7.3.1 Sp7) that throws a portal runtime error when we preview a Business Objects document iview. The Business Objects Server versions are 4.0 SP5 and/or 4.1 SP3.
The error is caught in the the defaultTrace file, /usr/sap/QNW/J00/j2ee/cluster/server0/log
[EXCEPTION]
com.sapportals.portal.prt.runtime.PortalRuntimeException: There is no portal component associated with the following context:
pcd:portal_content/com.summit.SES_BI/com.summit.iviews/Daily_Margin
at com.sap.portal.prt.component.PortalComponentContext.<init>(PortalComponentContext.java:93)
Here is what we have tried
* Confirmed the iviews exist in the PCD, by browsing to the content folders and right lick, preview on the iview.
* Our PRD and DEV systems work correctly and are on same versions of EP Runtime and java. 7.3.1.7.0.201..
* Occurs with all Businessobjects iviews from the QA portal and all doc types, webis, dashboards. Tried creating new iview.
* Reapplied the com.sap.businessobjects.iviews.templates.epa to the Portal from t he BI 4.1 SP3 distribution
* Deleted and recreated the BI portal system connector using the SAP BOBJ system template set path to http://bi-qas:8080/BOE
* Set the embed key value in the BI system connector property and in the custom global.properties file, restarted tomcat and SIA services
* Set permissions for everyone end user on the content folders and the BI system connector
* Confirmed Single sign on configured correctly between BI and Portal
* Confirmed that the QA BI server is configured correctly by directing the working DEV Portal to the QA BI server.
* Performed actions in note 1709737
We are certainly stuck and the defaultTrace file is not very informative. Any suggestions are greatly appreciated
Lee LewisThis is resolve with note 1615838 - SAP Netweaver Enterprise Portal 7.3 iView creation with BI 4.0 results in exceptions.
The note includes a file portalapp.xml that need to be inserted into com.sap.businessobjects.iviews.par that is included in the BI server distribution.
Then deploy the ear file.....
Odd thing is that the note mentions 4.0 and we are on 4.1 SP3...
Environment
SAP BusinessObjects BI Platform 4.0 SP02 Patch 4 or lower
SAP Netweaver Enterprise Portal 7.3
Lee Lewis -
Adcfgclone.pl with using existing context file
Hi,
I want to clone application server with using existing context file. can I do adcfgclone.pl with using existing context file?
What is the syntax ?
is there any issue to use this?
thanksActually I want to clone existing enviornment of R12.0.6 application to fix local inventory issue.
Problem: During r12.1.3 upgrade I noticed that local inventory has issue. R12.1.3 upgrade was done succssfully after clone of production. When I started upgrade on production I noticed issue during 10.1.3.4 upgrade. Thats why I thought if I clone existing production enviornment on same server by using same context file then 10.1.3.4 upgrade will run.
I know there is a way to fix inventory but I don't want to do to avaoid more issue. Please advice which path is good in such enviornment.Are you referring to global inventory? If yes, you can simply copy it from the source servers to the target ones.
If the PATHs are different then please refer to:
How to Create a Clean oraInventory in Release 12 [ID 834894.1]
How to find the location of GLOBAL Inventory and LOCAL inventory on R12.x ? Why Some Times, There are Issues With The oraInventory Registration During The Post Clone ? [ID 878717.1]
Thanks,
Hussein -
Hi
Question I have is related to the following setup. WLSM and access points (L3 roaming)incorporated into 6500 with FWSM. The FWSM is firewalling 2 wireless networks. Access points have BVI on seperate subnet with subinterfaces on fastethernet defining vlans for 2 ssid's. BVI subnet has HSRP address for default gateway on the access points. The issue is as part of a security audit it was discovered that wireless clients were recieving HSRP traffic even though they should be completely seperate from the rest of the network via the FWSM. IS this normal or am I missing something?
ThanksIn relevance to this issue, you have mentioned that " The FWSM is firewalling 2 wireless networks". So, can you send me the firewall configuration?. Also, send me the network topology. These two information will be really helpful for furher analysis.
-
Problem with Portlet Backing Context
Hi,
I am having problem with Portlet Backing context.
I have on portlet and one JPF associated with this portlet.
Now in JPF action method i have Portlet Backing context object, using this object
i tried to get the previous portlet state using portletCtx.getPreviousWindowState().
But It always gives me null.
can anyone help me out ? its very urgent.
or you can suggest me anyother option to do this....
Thanks,
Vijay PatelVijay -
You might want to post this to the Portal newsgroup.
Regards,
Kunal
"vijay patel" <[email protected]> wrote:
>
Hi,
I am having problem with Portlet Backing context.
I have on portlet and one JPF associated with this portlet.
Now in JPF action method i have Portlet Backing context object, using
this object
i tried to get the previous portlet state using portletCtx.getPreviousWindowState().
But It always gives me null.
can anyone help me out ? its very urgent.
or you can suggest me anyother option to do this....
Thanks,
Vijay Patel -
CSS11000 VIP not communicating with FWSM Vlans
There are two physical servers behind the load balancer. These servers are
in VLAN54
SRV212 - 205.190.54.212
SRV213 - 205.190.54.213
Load Balancer VIP for the above servers - 204.190.54.67
Load balancer keep alive port - TCP 9999
Load Balancer VLAN54 IPaddress - 204.190.54.69
mac address of 204.190.54.69 - 000c.abcd.efgh
ARP entries
=======
The FWSM has a static ARP entry for VIP 204.190.54.67 configured with the
mac address of 204.190.54.69.
204.190.54.67 000c.abcd.efgh
Issue
===
The FWSM is the routed interface (with the L3 Gateway) for VLAN54 as well as other server VLANs.
VLAN3 is a point to point vlan that
connects to another L3 boundary, beyond which are located the end users.
These end users are routed via a different L3 gateway and use VLAN3 of the
FWSM to reach the server vlans. The end users routed in different L3
gateways are successfully able to connect to the VIP of the load balancer
and hence connect to the application on the keepalive port of 9999. (a
simple telnet to 204.190.54.67 on tcp port 9999 is opening)
Server VLANs that are routed via the FWSM (with their default gateways set to FWSM) are not able to
connect to the VIP 204.190.54.67 on port 9999. (a ping or a telnet to
204.190.54.67 on tcp 9999 failed.)
Observation
========
server VLANS that are directly routed on the FWSM cannot communicate with the load
balancer VIP 204.190.54.67 where as L3 boundaries that are beyond the FWSM
perimeter can access the VIP (ping and telnet).
Has anyone experienced a similar scenario and if so what should i do to make this work.
Regards
CJCJ-
Sounds like its asymetric, the firewall is not going to appreciate that and the client will recieve a SYN,ACK from the server directly, not the CSS VIP. Try configuring a group like this for testing:
Group TestNAT
add destination service SRV212
add destination service SRV213
vip address 204.190.54.67
active
Regards,
Chris Higgins -
ACE in bridge mode with FWSM as gateway
our design
FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
ThanksFirst, why don't you have an ip in your ACE vlan ?
Then, for traffic hitting a vip, we can do source nating even in bridge mode.
But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
The FWSM should then send the request back to ACE (not sure how this can be done).
So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
So your policy-map with client nat must be on vlan 7.
Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
In this case, the policy-map will have to be in vlan 8 with client-nat.
Gilles. -
Active/active FWSM with asymmetric routing Doc
try to find doc & design guide for active/active FWSM with asymmetric support in data center, SRND doesn't have updated version, please let me know if you are aware of some, thanks.
I hope this link will help you
http://cisco.com/en/US/products/hw/modules/ps2706/prod_bulletin0900aecd803ffcca.html -
I've been texting my friend with iMessage with wifi on and all of a sudden it changed to text message and won't let me send messages. My wifi is still on and working but it won't switch back to iMessage. Please help
What I recommend you try doing first is to turn iMessage off then back on. If that doesn't work, make sure that your Apple ID and password are correct. If everything seems correct and you still can't send out messages using iMessage instead of text message, I think you should either try calling AppleCare at 1-800-MY-IPHONE (1-800-694-7466) and/or scheduling an appointment at the Genius Bar at an Apple Store (that is, if there's one close to you).
Hope this helps!
Maybe you are looking for
-
"Error while relocating" after deleting RAW from RAW+JPEG pairs (Important FYI)
This is not a question, but something I recently discovered that I think will be important for the Aperture community. Not too long ago, I asked a question about how to remove the RAW files from RAW+JPEG pairs. The concensus was that it couldn't be d
-
My phone version 4.2 and unable to update to 5 ios
i un able to up date my phone from 4.2 to ios 5 ,pls provide how to down load
-
Search function with Java script
Hi, i'm using ADF 11g . In one of the application page , i need to give a search function , in which user can enter any text , the entered text needs to be highlighted . Since ADF is very new to me , could some one point me how to use the javascript
-
Planning strategy for raw materials
Hi , A raw material used in finished product is very imp. Can we manage the raw material demand and consumption thru demand management strategies. Regards ShankarR
-
Where is the Safari iPad "find" function ?
On any Mac, I can hit Command-F and find stuff on the page. How do I do this on a new iPad Air 5th generation? Message was edited by: TarasVWZ