SSM40 and ASA Config
Hello,
I put an SSM40 into production in our ASA last week in promiscuous mode initially to determine what the device is seeing inbound through the ASA. So far, it isn't reporting anything which I suspect isn't correct. This is what I have for a config on the ASA and it appears that packets are making it to the module. Is this correct?
ASA Config to divert traffic to the IPS
access-list IPS permit ip any any
class-map PPI-IPS-CLASS
match access-list IPS
policy-map PPI-IPS-POLICY
class PPI-IPS-CLASS
ips promiscuous fail-open
service-policy PPI-IPS-POLICY interface inside
service-policy PPI-IPS-POLICY interface outside
sho service-policy
Global policy:
Service-policy: global_policy
Interface Inside:
Service-policy: PPI-IPS-POLICY
Class-map: PPI-IPS-CLASS
IPS: card status Up, mode promiscuous fail-open
packet input 0, packet output 18253556, drop 0, reset-drop 0
Interface Outside:
Service-policy: PPI-IPS-POLICY
Class-map: PPI-IPS-CLASS
IPS: card status Up, mode promiscuous fail-open
packet input 0, packet output 2202573, drop 0, reset-drop 0
The only event the IPS is reporting is the following:
time: Apr 22, 2013 12:45:01 UTC offset=-300 timeZone=CDT
errorMessage: No installable auto update package found on server name=errSystemError time: Apr 22, 2013 12:45:01 UTC offset=-300 timeZone=CDT
errorMessage: No installable auto update package found on server name=errSystemError
So, what have I configured incorrectly, or is this just normal for promiscuous mode?
It looks correct.
You can try enabling the ICMP Echo Request signature and watch it fire on pings to test your setup.
You'll need to add ICMP to your IPS access-list.
- Bob
http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html#wp1046877
Similar Messages
-
Backup tool for ASA config?
Hi,
We are using Solarwinds Kiwi backup tool to backup our ASA configs, however it has hit a bug which they are looking into as it only backs up half of the config. While they search for a fix does anyone know of another free tool I can use to schedule backups of our ASA?
ThanksHi Bro
You could look into some freeware tools out there in the market such as Cisco SNMP Tool v2.5 and WinAgents HyperConf. Good luck.
P/S: If you think this comment is useful, please do rate them nicely :-) -
Inside I have 2 networks: 10.10.x.x and a 10.199.x.x
My ASA interfaces was the following:
E0/0 Public IP
E0/1 10.199.1.2/24
E0/2 10.10.144.47/22
I put a checkpoint in front of the ASA and changed to the following:
Checkpoint Ext. 10.10.144.47/22
Checkpoint Int. 192.168.1.1/30
ASA E0/1 10.199.1.2/24
ASA E0/2 192.168.1.2/30
Now I am having trouble talking between the networks 10.199.x.x and 10.10.144. x
I have attached ASA config.
Thanks in advance on any help providedHi,
So if I am looking correct then the "insideNOV" interface leads to the Checkpoint which has the other LAN network behind it?
The interface ACL for the interface is not really clear to me as it contains a lot of "name" and "object-group" references which are not mentioned. It seems though that on multiple occasions you have referenced the NOV network as the destination. Should this not be the source network as that network is located behind that interface?
Also with regards to the routing you have only shared your Default Route in the configuration.
Do you have a route for the NOV network towards "insideNOV" ?
route insideNOV 10.10.144.0 255.255.252.0 192.168.1.1
Does the Checkpoint have the appropriate routing and other configurations to allow the traffic?
- Jouni -
Does anyone know of a way to automatically backup an ASA config using SNMP or some other method?
Thanks
FrankYeah, you can back it up via TFTP without an authentication challenge - that's not a problem. You can even build an ACL to limit the IP addresses that can perform a TFTP GET against the ASA (to pull the config). There are a number of scripts and tools that make backups of ASAs & PIXs using TFTP (or you could just modify the script I published depending on your comfort level in Expect)
The problem I had in my situation is that I couldn't trust the path to the device, and in the case of TFTP it can be vulnerable to a MITM. As you probably already know, once someone gets your device config in its entirety they can plan an attack of the device that is likely to succeed.
Keeping credentials in a file are not desirable, but out of all the systems used to perform the backup, the host running the script was the one I trusted the most. There are ways to really secure that using tools (in both Expect and Shell scripts) to convert the credentials to a hash that is decrypted only when the script is run, I just haven't tied that in with my script yet. -
HP NNM and ASA discovery.
Hi
I am not able to see Firewall ASA 5585 links to our HP network node manger.
ASA is having multiple context (2 context) mode. having portchannel to two different NExus 7k (vpc).
ASA config is also attached here. NNM can discover ASA via management interface but does not show the data link between ASA and Nexus. I am not too sure if NNM is confused due to vpc or firewall multiple context ?
fw01/admin# sh running-config snmp-server
snmp-server host management 1.x.x.x community **** version 2c
snmp-server host management 1.x.x.x community **** version 2c
snmp-server location Slv
snmp-server contact [email protected]
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps memory-threshold
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold risingI'm having a similar problem so I decided to call support.
Seperate issue, it took over 30 minutes to talk to someone who could talk about tablets. Had to talk to two different people (giving my name, email, phone number, serial number both times!) before I reached a third person.
I was quite disappointed to hear that the inability to reach 100% is actually part of some sort of battery saving feature. Once the battery gets to 96%, it'll just stop. I asked the tech several times - so there's no way to get to 100% reliably?
It's all part of how new tablets work these days. I said - you mean HP tablets? Because literally none of my devices have this problem.
I'm strongly considering returning this device considering this "feature" and all around terrible support experience. -
What is difference between ADF Task Flow and Faces-Config - when delpoy ?
What is difference between ADF Task Flow and Faces-Config? When I create navigation between pages with ADF task flow then the navigation don't work when I deploy my application to Weblogic 10.3. When I use default server then navigation works fine. With Faces_config in both situations all works ok - on Stanalone server and default.
Where is the problem?
Best regards!Shay, I don't use both faces-config and adf task flow! When I failed with task flow I tried faces-config.
I have active on my weblogic - adf.oracle.domain(1.0,11.1.1.0.0). This is the right ADF? If yes then where is the problem?
Best regards! -
VPN with Cisco 877 and ASA 5505
Hi Experts
this is my scenario :
remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
please i need your support to make this dream real lol.
i will poste my configuration step by step following your help.
many thanks.ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.
-
Is it possible to import and export Config Toll Configuration from one sys
Hi All,
Is it possible to import and export Config Toll Configuration from one system to Another system (QUS/PRD), for especific service.
Kindly let me know the pro and corn of it and step by step process
Thanks alot for your time.
Thanks
ABYes...It is certainly possible but then you would need to bring OS level j2ee filestructure as well and there are lots of changes at OS level in *.properties file and then at configtool level changes related to hostname, system numbers and port numbers etc.
This is not much difficult but not impossible also if you do it very carefully. Please note that SAP DOES NOT SUPPORT THIS METHOD.
alternatively, you can use sapinst to export-import j2ee filesystem from source to target which inturn would require to do configtool export/import and then changes at configtool level.
Do let us know your requirement so that we cud help you in case you are facing any issues.
cheers !!!
Ashish -
hello,
could anyone please post screen capture of ISE posture configuration ( and remediation )
I need urgently a dACL and a redirection ACL that work at least in a mockup lab.
Authentification and authorizations policies not needed.
posture and remediation policies not needed.
The issue is about ACLs (I guess)
Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.
My IOS is 122.55 SE or 52 SE
Thank you by advance.
Best regards.
V.Hi Venkatesh,
Your the ultimate ISE Guru !!
You're right
Thanks a lot.
See screen captures and Sw config below
aaa new-model
aaa group server radius ISE
server 192.168.6.10 auth-port 1812 acct-port 1813
server 192.168.6.10 auth-port 1645 acct-port 1646
aaa authentication login default local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network auth-list group ISE
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 192.168.6.10 server-key 123456789
ip dhcp snooping
ip device tracking
dot1x system-auth-control
dot1x critical eapol
interface FastEthernet1/0/1
switchport mode access
ip access-group ACL-ALLOW in
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny udp any host 192.168.6.10 eq 8905
deny udp any host 192.168.6.10 eq 8906
deny tcp any host 192.168.6.10 eq 8443
deny tcp any host 192.168.6.10 eq 8905
deny tcp any host 192.168.6.10 eq www
permit ip any any
snmp-server community snmp RO
snmp-server community RO RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.6.10 public
snmp-server host 192.168.6.10 version 2c snmp mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accounting
radius-server vsa send authentication
V. -
Hello my friends,
I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
Here are my configuration commands:
Router:
crypto isakmp policy 20
encryption 3des
auth pre-share
hash md5
group 2
crypto isakmp key XXX address 103.252.AAA.AAA
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map MAP 5 ipsec-isakmp
set transform 3DES-MD5
match address VPN
set peer 103.252.AAA.AAA
ip access-list extended VPN
permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
ASA commands:
sysopt connection permit-vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
tunnel-group 203.167.BBB.BBB type ipsec-l2l
tunnel-group 203.167.BBB.BBB ipsec-attributes
pre-shared-key XXX
access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map VPN 10 set transform-set 3DES-MD5
crypto map VPN 10 match address LIST
crypto map VPN 10 set peer 203.167.BBB.BBB
crypto map VPN interface outside
Do you have any idea what is wrong? Thank you a lot in advance.I managed to get this from the show crypto ipsec sa
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
And details from show crypto session detail
Interface: GigabitEthernet0/1
Session status: DOWN
Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 -
Hi,
why do we need to specify role base provider and membership provider files in central admin and securiy config files.
thanks,
gauravWe use 3 settings in Forms based auth:
1 Membership = This contains Users and groups information. (This table also has username and password)
2 ConnectionString = Connetion details to connect to database is stored here(servername, databasename, username, password, port )
3 Role = This table contains all the Roles (Admin, contibutor, etc of the data source) -
Location of MTA and POA config files:
Hello. I'm reading an article from cool tools by Kiril Stankov regarding
moving a groupwise database to a new volume or server. In step 4 he says
if you are moving data between servers make sure to copy the POA, MTA,
WAA and GWIA config files. The only one I can find is the gwia.cfg. I
looked under SYS:\system for the others and can't find them anywhere.
Thanks> What's in grpwise.ncf ?
>
> It should be something like
>
> LOAD SYS:\SYSTEM\GWPOA @POA.POA
> LOAD SYS:\SYSTEM\GWMTA @MTA.MTA
LOAD SYS:\SYSTEM\GWPOA @CTCPO.POA
LOAD SYS:\SYSTEM\GWMTA @CTCMAIL.MTA
> the files you want are the ones after the @ sign, and they should be in
> the directory referred to in the load bit, in this case sys:\system
Ok. So I can, in my case anyway, just copy my SYS directory over if I
choose too
> Cheers Dave
>
>
> --
> Dave Parkes [NSCS]
> Occasionally resident at http://support-forums.novell.com/ -
How to save column widths in tag monitor and tag config editor?
how to save column widths in tag monitor and tag config editor?
The attached example may help.
After launching the editor, I locate a reference to the front panel control named "Tag List".
This is type cast as a multicolumn list box which then allows me to increment through all of the cells and set the widths as i go.
Trying to help,
Ben
Ben Rayner
I am currently active on.. MainStream Preppers
Rayner's Ridge is under construction
Attachments:
Set_Width2.vi 60 KB
SET_WIDTH.JPG 94 KB -
Cannot Read From Registry - Need to save and load config
I have code the I have tested in other programs. I cannot read or write to the registry from a plugin. Any ideas?
Any suggestions for the best way to save and load config information?
Thanks!!!Hi Srikanth,
Thank you for responding.
I had a problem on one material. So deleted the request and Reload it from PSA. That issue got solved.
And Now the problem is , Now my senior is saying Delete the data from April-09 till date and Reload it. The issue is My CUBE ( ZSD_C03 ) is updated with 4 data sources. 2LIS_11_V_ITM , 2LIS_13_VDITM , 2LIS_12_VCHDR , 2LIS_11_VAITM .
And I need to delete data from 2LIS_13_VDITM data source . How Can I proceed for the current issue ?
Please suggest ...
Thank you ,
Utpal -
Managed bean in both adfc-config.xml and faces-config.xml file
hi,
i can see that it's possible to declare managed bean in both adfc-config.xml and faces-config.xml file.
is there any difference? which one is recommended?
read here - http://www.jaypillai.com/tag/adf/
but still not clear.
thanks.Hi.
As you know ADF is a framework based on JSF.
In faces-config.xml you define general application manage beans. It offers you define manage beans for all application using JSF default scopes (application, session, request).
In adfc-config.xml you define general application manage beans using ADF Scopes. It means that you can use JSF default ones including "view, pageFlow and backing".
My recommendation is use only one point entry for your general manage beans. Use adfc-config.xml because allow you to use more scopes.
Regards.
Maybe you are looking for
-
Synchronous SOAP call from XI without BPM....
Hi All, Is it possible to use the (File - XI - SOAP) Synchronous SOAP call from XI with out BPM. to trace the error messages. If yes then how it can be achived in XI. Thanks, Jane
-
using iPad 1, 4.3.5, system seems stuck in a video. Clicking "done" no longer exits video...can watch but can't get out ie back to main video screen. Have reset no results. help?
-
MacBook Pro 2013 (new one) making a bootable USB..
ok i just replaced my old 2008 MacBook Pro with this brand spanking new. Im new to these flash drives (used to the old school hard drives, when you had a bootable physical disc to troubleshoot). Well i thought i found online how to do it (make a boot
-
Error in Quantity Conversion type.
Hi all, I have created quantity conversion types in transaction RSUOM."ZCRFNSC" In the Conversion Factor Tab,Dynamic Determination of Conversion factor i chosen as Using Refrence Info Object------0MATERIAL. In the UOM Tab. Source Unit TAB-- I have d
-
How to get videos I have taken from my computer to my TV by using Xfinity X1.
I have managed to get photos from computer to TV, but can't find how to get my videos from my computer to my TV. I am using Xfinity X1 and am Triple Play customer. Thanks