Securely backing up config for ASA
How do you usually store the backup config for your ASA/PIX config so that it's easily accessible, and yet it's secure enough? Do you simply save it to a network drive? Is there a better way to do it? I just like to know the best practice out there. It's because if I save the backup config in a network drive, people may be able to get to it and look at the config file since it's not encrypted. Any recommendation is welcome. Thanks.
We have our configs backed up automatically and they are stored in a database (with security). Why can't you save it to a network drive that has the appropriate permissions? You could also store them in an encrypted virtual drive using something like TrueCrypt.
Hope that helps.
Similar Messages
-
Is netflow supported on the ASA? I have been look on teh net with no luck can soemone point the way or tell me if this not possible?
TIA!!Rick - thanks for your response. It would be nice to see NBAR or Netflow type stats on the ASA, when the ASA is performing VPN functions.
Would syslog or something else give me those type of stats?
Thanks,
Steve -
i try to get back my answer for my security questions but it is not working
You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
(97524) -
Define Logical Port and Back-End Destinations for ESOA use of this config
Hi,
Please let me know what is the use of this config I am not able to get a documentation.
Define Logical Port and Back-End Destinations for ESOAHi Autobots,
Even I am looking for the same information. Did u get some headstart into the matter?
Pl provide me with the inputs too.
Cheers
Nikhil -
How to securely back-up my library in iTunes for windows 7
how to securely back-up my library in iTunes for windows 7
Hey JFONT,
Thanks for the question. The following article may assist you in achieving your end goal:
iTunes: Back up your iTunes library by copying to an external hard drive
http://support.apple.com/kb/HT1751
Thanks,
Matt M. -
Does anyone know how to reset your security questions?? I loaded an itunes gift card on new ipod but when trying to make a purchase, itunes is asking us the incorrect security questions?! (for 1st time purchase) I know the questions are not what I chose because I wrote the questions & answers down when setting up the ipod. Any ideas??!!!
Reset Security Questions
Frequently asked questions about Apple ID
Manage My Apple ID
Or you can email iTunes Support at iTunes Store Support.
If all else fails:
1. Go to: Apple Express Lane;
2. Under Product Categories choose iTunes;
3. Then choose iTunes Store;
4. Then choose Account Management;
5. Now choose iTunes Store Security and answer the bullet questions, then click
Continue;
6. Sign in with your Apple ID and press Continue;
7. Under Contact Options fill out the information and advise iTunes that you would
like your security/challenge questions reset;
8. Click Send/Continue.
You should get a response within 24 hours by email.
In the event you are unsuccessful then contact AppleCare - Contacting Apple for support and service.
Another user had success doing the following:
I got some help from an apple assistant on the phone. It is kind of round about way to get in.
Here is what he said to do and it is working for me...
a. on the device that is asking you for the security questions go to "settings", > "store" >
tap the Apple ID and choose view"Apple ID" and sign in.
b. Tap on payment information and add a credit/debit card of your preference then select
"done", in the upper right corner
c. sign out and back into iTunes on the device by going to "settings"> "store" > tap the
Apple ID and choose "sign-out" > Tap "sign -in" > "use existing Apple ID" and you
should be asked to verify your security code for the credit /debit card and NOT the
security questions.
d. At this time you can remove the card by going back in to edit the payment info and
selecting "none" as the card type then saving the changes by selecting "done". You
should now be able to use your iTunes store credit without answering the security
questions.
It's working for me ...I just have to put in my 3 digit security pin from the credit card I am using.
Good Luck friends! -
I would like to know if i could use the security back up from my old Blackberry curve to restore all the info i had on that one on my new one. can not perform the switch funtion çause i don't have the old one just it's back up file.
thanksYou need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
(114957) -
I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).
My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?
I am sure it will need but just wanted a confirmation..
I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html
(config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.Yes, its needed. The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal. .
ip http server
ip http secure-server
The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch. this may be accomplished by running the following two commands from global configuration mode:
ip http active-session-modules none
ip http secure-active-session-modules none" -
Apple store worked great, now it keeps telling me that I need to verify payment info and my security code is invalid for my card... The card is current? What's going on?
Did you enter the last three digits on the back of the card for Visa or Master or the 4 digit # on the front of Amex?
-
Creating syslog report on a separate server for ASA 5555-x
hello all,
how do we create syslog report for ASA to dump in a separate physical server?
thanksHello,
You mean send syslog messages to an external dabatase
If thats the case it should be
logging enable
logging server name_if IP_address
logging trap 7
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura -
Alternative to set "java.security.auth.login.config" ?
In all examples of using JASS, it uses the following way.
System.setProperty("java.security.auth.login.config", fileName)
Is there a way I can specify the policies in code, not in a file? That way I don't have to worry about file permissions.
p.s. Thanks for Seema-1 who anwsered my last question.
Message was edited by:
maqiang9111Has anyone done the same thing for the java.security.krb5.conf setting? I tried setting it using the same form of URL that I use for java.security.auth.login.config, and I get this error when the kerberos code attempts to use it:
Could not load configuration file jar:file:\C:\dev\workspace\myapp\client-data.jar!\krb5.ini (The filename, directory name, or volume label syntax is incorrect)
The corresponding login context conf file in the same jar loads fine. -
Best Log Setting for ASA & MARS
Hi,
I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?
ThanksWhich syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.
The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.
Regards
Farrukh -
New Type of Firewall Config (for me)
OK - this is a different type of config for me so I am reaching out for some advise / help. I manage many cisco asa 5520's and I am in the process of converting one asa from a block of 30 outside addresses of to a 50 Meg Cox cable modem with a block of 30 cidr addresses.
Normally I would just reference an outside address and bingo, things would work right. In this case I found out so far that I could only get internet access through this cable modem by setting up the outside interface of the asa with dhcp - then it grabbed a public wan address, added a route to the asa 5520 and then I had internet access out through the cable modem.
My question / problem / nuance to me is when I reference / assign one of our cidr addresses to a device (like a server) and that is natted from the dmz to the outside address I don't get access to the device.
I'm thinking I have to do something special to set up these cidr addresses but having never done this before I am reaching out for some advise.
my outside dhcp assigned wan address is 70.168.x.1xx with a gateway of 70.168.x.1
The cidr block I have been assigned from the cable company is
184.185.x.x/27
The cable company also has suggested a default gateway address withing the cidr block and a first useable and last useable address.
I must say that I usually look to over complicate things by thinking things are more difficult than they really are.
Can anyone get me pointed in the right direction so I know how to assign these cidr addresses and have then accessable from the outside???
Thanks in advance
PaulHi,
So from what I understand you should have your own public IP address range of /27 usable through your current connection. Yet it only works with setting the ASA outside to use DHCP and doesnt work when you staticly assign an IP address from the /27 address range and set the default route.
If the above is the case I'm kinda wondering why you are even getting IP address with DHCP from the ISP if you are supposed to have your own public address block.
You sure the ISP has its side configured correctly?
- Jouni -
Hi all
I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
Thanks in advance
AnvarHi Dan
I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
aaa authentication telnet console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication serial console LOCAL
aaa authorization command TACACS-SERVER LOCAL
aaa accounting telnet console TACACS-SERVER
aaa accounting command TACACS-SERVER
aaa accounting ssh console TACACS-SERVER
regards
anvar -
I need help configuring a connection with asdm 5.2 for asa
Hi All
I am very much a novice with asdm 5.2 for asa and I urgently need to configure a connection but don’t know how to. I have 2 domains at work and someone is trying to connect their sql client from their pc in one domain to the sql server in the other domain (DMZ).
When he tries to connect he gets the error
Cant connect to MySql Server at "IP Address" (10060)
He is trying to connect on port 3306. Could anyone please give me any tips on how i can resolve this quickly? I know i am
trying a shortcut on this one but I recently started a new job and thrown in the deep end here and need to learn this asdm 5.2 for asa product from scratch with nothing more than the manual that come with the cd . My Cisco knowledge is from 2001 when i did half of a ccna course.
Any help would be greatly appreciatedHi,
I'm not a security specialist but here is how I had it set up at home:
Essentially a NAT and a rule forwarding the port are needed. In this particular case I had an Oracle server running and a person requested remote access. So, for example, the source address was his external IP and the destination was the Oracle's external IP. For the NAT the source was the internal IP of the Oracle server and the interface was Outside.
Hope this points you in the right direction.
Maybe you are looking for
-
What set up is needed to watch previously purchased NHL centre ice on new Apple TV
We have purchased an Apple TV 2nd generation. What is set up needed to watch our NHL Centre Ice subscription?
-
Hello Folks and Expert, I am Certified Ora DBA and am stuck, thats a shame I am going to install and Test Oracle 10g on Vista as my future client will use Just Vista and no othr OS, so there is no OTHER OS options, I ready all the documentaiotn and r
-
Multiple SAP systems in a MSCS
can someone tell me that he/she installed multiple SAP systems in a MSCS environment? DB:ms sqlserver 2005 OS:windows server 2003 enterprise edition cluster sap: ecc 6.0 and BW
-
Product Registry and Forte problems
Hi chaps! I downloaded Forte Community Edition 1.01 but can not install it because it does not progress past the "Extracting..." stage. Additionally, when I try to run "prodreg", I get the following exception: ========================================
-
How to install oracle for Linux ?
Hello, i have downloaded Oracle 11G R2 for Linux and my host OS is Ubuntu. After unzipping the downloaded file i got 1. response folder, 2.upgrade folder and 3.oracle-xe-11.2.0-1.0.x86_64.rpm file. My host OS Ubuntu is 64 bit, and i have downloaded O