Tools use to monitor cisco asa

Similar Messages

• Tool used for monitoring Voice Gateways

  Hi,
  I would like to know which tools that are available to do realtime monitoring for cisco VoiceGateways AS5400.
  We would like to monitor trunk utilization/ number of active calls ...
  We need a real time monitoring capabilities.
  Thanks for the advise.
  rgds
  abdel

  you can start from here:
  http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800b4cee.shtml
  goto MIB Locator, select the IOS version, then platform family, it will
  narrow down to a small number of MIB to choose from.
  and search for " number of calls" and check the box of " Include object
  descriptions in search"
  about 21 MIB objects are related. Each one can check the supported
  version of IOS.

• Cisco ASA IPS vs Bruteforce

  Who can help me, I need device that will block bruteforce attack to our webmail servers, 5 wrong password input = block for 10 min, for example.
  Can I use for this Cisco ASA IPS?

  Depending on how your specific webmail server works, perhaps you could use/tune:
  SIG 6256.0 (HTTP Authorization Failure)
  -or-
  SIG 20020.0 (HTTP Authentication Brute Force Attempt)
  Or, create a custom signature based off of one of the above.

• How to perform near realtime monitoring of ASA?

  Hi,
  we would like to have option to monitor in close to realtime the performances of the ASA.
  Need to be able to eg get an alert (email, pager) when number of connection reaches certain level, when CPU goes high, when traffic reaches certain level, etc. What would be Cisco solution to these challenges? Can MARS fulfill this task? Any other third-party solutions to this problem?
  Thanks in advance for pointing me in right directions.
  Regards

  Hi,
     You can enable NSEL to do real time monitoring of your ASA traffic. Please refer the below links to monitor Cisco ASA with NSEL.
  https://blogs.manageengine.com/netflowanalyzer/2010/07/22/configuring-cisco-asa-netflow-via-asdm
  https://forums.manageengine.com/#topic/49000003577011
  Visit http://www.opmanager.com to monitor Cisco ASA health metrics.
  Thanks
  Don
  ManageEngine NetFlow Analyzer
  www.netflowanalyzer.com

• Security monitoring tool for Cisco ASA

  Please suggest a checp and best security monitoring tool for Cisco ASA devices.

  You can use ossec, open source tool installed on linux:
  http://www.ossec.net/

• Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

  Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
  Could the last CISCO Security Manager product help in this process ?
  thanks in advance

  Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
  Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
  http://www.lumeta.com/
  Also reference this thread, it may help.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
  HTH
  Jorge

• Cisco ASA 5520 Traffic monitoring

  Hello ,
  We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
  Thanks a lot

  Hi,
  I dont think the ASA alone can give you a really clear picture of the real time situation.
  It however should be able to give you some clue and simple statistics on the ASDM Firewall Dashboard
  My ASDM version is 7.1 but it should be there in your version also.

• Cisco ASA using Multiple DNS Names

  Hi,
  I am trying to setup a Cisco ASA for SSL vpn; however due to load balancing/traffic redirection performed by a different device; I was wondering if it may be possible perform a certificaate signing request/certificate required for it to have multiple address? An example would be:
  IP: 1.1.1.1, fqdn: vpn1.asa.com
  IP: 1.1.1.2, fqdn: vpn2.asa.com
  IP: 1.1.1.3 fqdn: vpn3.asa.com 
  Not too sure on how to perform the CSR for it on the ASA? Do I create the csr cert with a single cn=vpn1.asa.com and ask the CA vendor to sign it off with SANsof vpn2.asa.com and vpn3.asa.com?
  Client performing ssl vpn on vpn1.asa.com or vpn2.asa.com or vpn3.asa.com  should not be prompted certificate warning.
  Thanks.

  Hi,
  Appreciate the input. For the setup; the different fqdn is used due to different authentications/locations/etc... used. I have further illustrate the setup using the same interface for vpn access:
  vpn3.asa.com (Extranet Vendor Access)--------------------------------|
                                                                                             |
                                                                                            |
                                                                                            |
  vpn1.asa.com (External branch offices)-------------------------------ASA -------------Internal authentication servers
                                                                                             |
                                                                                             |
  vpn2.asa.com(HQ/Corporate Users)-----------------------------------------
  Not too sure for the creation of the CSR with a single cn=vpn1.asa.com and ask the CA vendor to sign  it off with SANs of vpn2.asa.com and vpn3.asa.com as well as vpn1.asa.com?
  Thanks.

• Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth

  Hello all,
  I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
  Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
  When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
  We opened a TAC case with Cisco, and this is their response:
  The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
  I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
  I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?

  My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
  I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either.

• Can I format the CF in a cisco 1800 router and then use it on the ASA 5520?

  Can I format Compact Flash in a cisco 1800 router and then use it on the ASA 5520?

  You don't have to format the card in the router. You can do that on your PC. Just format the CF-card as FAT32 and plug it into the ASA.
  BUT: If you just want to "upgrade" the old card with a different one, then first attach the original card from the ASA to your PC and copy all files (including the hidden ones) to your PC and then copy them back to the new card. That way you also move your licenses to the new card which are stored in hidden files and your private data like keys.

• Firewalling vlans on Catalyst 6500 by using Cisco ASA Firewalls

  Hello,
  How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?
  There are no free modules on Catalyst 6500 to install a FWSM module.
  What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
  Thanks

  Hi Bro
  Just to understand your question once again, you don't have anymore available slots in your present Cat6K, but you want to know how to secure your VLANs or SVIs that has been configured in your Cat6K?
  If you were to ask me, I would not apply a bunch of ACLs in the Cat6K, for starters. You might wanna look into COPP (Control Plane Policing) instead. Furthermore you could also refer to this Cisco document http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml
  However, if you do have Cisco ASA FW appliance (not module, I presume from your question), you could enable ACLs, threat-detection feature, IP Audit features, reverse-path policing, capping of the embryonic values etc.
  P/S: If you think this comment is useful, please do rate them nicely :-)

• Cisco ASA rely HTTP port to HTTPS without using CNAME DNS-record

  Hi all,
  could anyone tell me Is it possible to configure ASA so when customer rely http://domain.com Cisco ASA rely to https://domain.com (it's similar with CName function of domain record).
  P.S. resource of domain.com located behind ASA and DNS A-record rely on public ASA ip address
  Thank you.

  What version ASA are you running?
  If the server has both static public and private IPs you could use NAT to redirect HTTP traffic to HTTPS based on IP.
  object network PUBLIC_IP
    host 1.1.1.1
  object network REAL_IP
    host 2.2.2.2
    nat (inside,outside) static PUBLIC_IP http https
  Keep in mind that you will also need a NAT statement that maintains https to the server.
  Please remember to select a correct answer and rate helpful posts

• Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

  Dear All,
                       I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
  Thanks
  Vijay

  Hi Vijay,
  If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
  HTH,

• NPAS: How do I use Cisco ASA RADIUS attribute 146?

  We have a Cisco ASA 5520 running firmware 8.4.5 and are using it for AnyConnect SSL VPN.  We are using Microsoft Network Policy and Access Services (NPAS) as a RADIUS server to handle authentication requests coming from the ASA.
  We have three tunnel groups configured on the ASA, and have three Active Directory security groups that correspond with each one.  At this time, we are using Cisco's vendor-specific RADIUS attribute 85 (tunnel-group-lock) to send back to the ASA a string
  that corresponds to a policy rule in NPAS based on the matched group membership.  This works in the sense that each user can only be a member of one of the three AD security groups used for VPN, and if they pick a tunnel group in the AnyConnect client
  that doesn't correspond to them, the ASA doesn't set up the session for them.
  Well, Cisco added vendor-specific RADIUS attribute 146 (tunnel-group-name) in firmware 8.4.3.  This is an *upstream* attribute, and is one that is sent by the ASA to the RADIUS server.  We would like to use this attribute in our policies in NPAS
  to help with policy matching.  By doing this, we could allow people to be in more than one VPN group and select more than one of the tunnel groups in the AnyConnect client, each of which may provide different network access.
  The question becomes, how can I use this upstream RADIUS attribute in my policy conditions?  I tried putting it in the policy in the Vendor-Specific section under Policies (the same place where we had attribute 85 defined), but this doesn't work. 
  These are just downstream attributes that the NPAS server sends back to the RADIUS client (the ASA).  The ASA seems to ignore attribute 146 if it is sent back in this manner and the result is that the first rule that contains a group the user is a member
  of is matched and authentication is successful.  This is undesirable, because it means the person could potentially select a tunnel group and successfully authenticate even though that isn't what we desire.
  Here is Cisco's documentation that describes these attributes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html

  Philippe:
  Thank you for the response, but I am already aware how to use Cisco's group-lock or tunnel-group-lock with RADIUS and, in fact, we are already using tunnel-group-lock (attribute 85).
  Using tunnel-group-lock works in the sense that you have three RADIUS policies and three AD security groups (one per tunnel group configured on the ASA).  Each AD group basically is designed to map to a specific tunnel group.  Each RADIUS policy
  contains vendor-specific attribute 85 with the name of the tunnel group.  So when you connect and attempt authentication through NPAS, it goes down the RADIUS policies until the conditions match (in this case the conditions are the source RADIUS client
  - the ASA - and membership in a particular AD security group), it determines if your authentication attempt is successful, and if so it sends the tunnel group name back to the ASA.  If the tunnel group name matches the one associated to the user group
  you selected from the list in the AnyConnect client, a VPN tunnel is established.  Otherwise, the ASA rejects the connection attempt.
  Frankly, tunnel-group-lock works fine so long as it is only necessary for a given individual to need to connect to only a single tunnel group.  If there is a need for an individual to be able to use two out of the three or all three tunnel groups in
  order to gain different access, using tunnel-group-lock or group-lock won't work.  This is because the behavior will be when the RADIUS server processes the policies, the first one in the list that has the AD security group that the user is a member of
  will be matched and the tunnel group name associated with that policy will be sent back to the ASA every time.  If that name doesn't match the one they picked, the tunnel will not be established.  This will happen every time if the tunnel group is
  associated with the second or third AD group they are a member of in terms of order in the NPAS policy list.
  Group-lock (attribute 25) works similarly.  In such a case, the result won't be a failure to connect if the user group chosen is associated with the second or third AD group in the policy list; rather, it will just always send the ASA the first group
  name and the ASA will establish the session but always apply the same policy to the client rather than the desired one.
  We upgraded to firmware 8.4.5 on our ASA 5520 specifically so that we could make use of attribute 146 (tunnel-group-name).   Since this is an upstream attribute sent by the ASA to the RADIUS server (rather than something send by the RADIUS server
  to the ASA as part of the authentication response), we were hoping to be able to use it as an additional condition in the NPAS policies.  In this way, people could be members of more than one of the AD security groups related to VPN at a time.  The
  problem is, I just do not know how to leverage it in the NPAS policy conditions or if it is even possible.

• Creating a 20MB bandwidth using two cisco asa 5515x with a hub (10/100/1000)

  hi all,
  I would like to simulate a bandwidth of 20MB for my DR project testing on my two cisco asa 5515x and with a cisco hub (10/100/1000).  I was thinking to make two connections on my "outside" vlan with both speed of 10 and etherchannel it and do it again on the other asa.
  Do you think it will simulate 20MB bandwidth?  Or any other suggestion?  Please add any comment, thanks to all.

  Hi Nicholas,
  You have the HSRP running between your core devices. You can have your core A - ASA1 & Core-B - ASA2.
  In your core switch you need to have a sepearate VLAN to connect the uplink to the firewall and asusual in asa you can have the primary and standby address configured and in core also you can have the vlan with hsrp ip configured.
  But make sure that in your firewall you should mention the static routes for each subnets pointing to the core device hsrp.
  The other scenario is you have make you ASA a standalone firewalls and in one firewall you need to have route to core a as primary and core b as secondary and in the other firewall vice versa. So that your traffic will get load balanced.
  Please do rate if the given information helps.
  By
  Karthik