Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About malikyounas
Stats
Member since
01-05-2009
14
Posts
4
Helpful
1
Solution
Certifications
03-29-2017
04:57 AM
I have followed the guide on the link below to configure direct authentication on ASA. HTTP part of it works fine but HTTPS doesn't.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113363-asa-cut-through-config-00.html
As per guide the configuration quite simple to achieve and works OK for HTTP. However, as soon as I replace HTTP with HTTPs, the web page shows a certificate error which I ignore but doesn't load anything afterwards and just keeps waiting. Any idea how to get it working?
interface Ethernet0 nameif inside security-level 100 ip address 20.20.20.2 255.255.255.252 ! interface Ethernet1 nameif outside security-level 0 ip address 10.10.10.55 255.255.255.0 ! access-list inside extended permit ip any any access-list outside extended permit ip any any access-list authmatch extended permit tcp any host 10.10.10.55 eq 5555 access-group inside in interface inside access-group outside in interface outside user-identity default-domain LOCAL aaa authentication match authmatch outside LOCAL
aaa authentication listener http outside port 5555 http server enable http 10.10.10.0 255.255.255.0 outside
... View more
Labels:
09-09-2016
08:18 AM
Found answer myself, only certrain protocols are supported for inspection and TFTP is not one of them.
... View more
Created by
malikyounas
in Network Security
in Network Security
09-09-2016
04:00 AM
09-09-2016
04:00 AM
I am testing the firepower (ver. 6.0.0.1-26) on ASA 5525X (9.5.3).
I have access control policy applied with file and malware policies in it which are to block malware.
I have an issue where a test a malware file transfer using TFTP isnt detected by the module and is allowed to pass through. However, module detects the file If I try to use FTP for file transfer.
Any idea why it would not detect using TFTP and how it detect when using FTP.
... View more
- Tags:
- #ASA5525X
- #firepower
Labels:
Created by
malikyounas
in Network Access Control
in Network Access Control
10-02-2013
12:35 AM
10-02-2013
12:35 AM
Yep that was the reason exactly. I had unintalled the patch and error was still there, It went away as soon as I removed the second Identity server. Thanks for your help.
... View more
Created by
malikyounas
in Network Access Control
in Network Access Control
09-27-2013
07:16 AM
09-27-2013
07:16 AM
I have installed the latest path ( 5-4-0-46-4) on ACS Server and after that I am getting following error when I try to access System Administration > ... > Administrators > Administrative Access Control > Authorization The error message is This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. I cant move away from this error and have to logout before I doing anything else but as soon as I try to access this Autorization pageagain, the same error message appears. Did any one try updating ACS 5.4 with latest patch, have you encountered this error? did you manage to fix it and how please?
... View more
Labels:
03-30-2012
03:15 AM
Well, you can do this in 8.0, give this a try These access list define what to NAT access-list outnat extended permit ip host 192.168.1.1 192.168.10.0 255.255.255.0 access-list innat extended permit tcp 172.16.10.0 255.255.255.0 host 192.168.100.1 eq telnet Here is your pool of addresses and NAT statement for it global (inside) 1 192.168.10.1-192.168.10.100 nat (extranet) 1 access-list innat outside Here is the Static NAT statement to map 192.168.1.1 to 192.168.100.1 static (inside,extranet) 192.168.100.1 access-list outnat
... View more
03-19-2012
05:14 AM
it will depend on what sort of entry you are going to add, if you add just the detiantion IP, ASA will consider as Standard and if you define source and destirnation, ASA will automatically consider this as extended. access-list cisco permit ip host 20.20.20.1 - ASA will default to standard ACL for this access-list cisco permit ip any host 20.20.20.1 - ASA will default to Extended ACL for this if you use use show access-list after adding both ACLs above, you will see first one as standard and second as extended.
... View more
03-19-2012
04:18 AM
Hi, Its better defined in this cisco doc where it says you cant use standard ACL as it only identifies the destination IP address which you can suppose is not enough for FW Information About Standard Access Lists Standard access lists identify the destination IP addresses of OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_standard.html#wp1074591
... View more
03-19-2012
03:09 AM
1. you just need to enter the same command without 'inactive' at the end of it, do 'sh access-list' and get an idea of line number access-list out-in line XX extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet 2. Enter the command 'sh access-list', it will show all the active ACLs and the line number along with it, you will have to remove that line entry and re-add it, so say for example if you want to remove line from the following ASA1# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list inside_in; 2 elements; name hash: 0xd3a8690b access-list inside_in line 1 extended permit ip any any (hitcnt=0) 0xb80bc887 access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet (hitcnt=0) 0x7bf0c01d you can config t no access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet access-list inside_in line 2 extended permit tcp host host eq telnet
... View more
04-21-2010
02:39 AM
Tested the same for 3560 and storm control are useless againt ARP Storm.....
... View more
01-29-2010
03:29 AM
Here is one with uses policy map with virtual template http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/mlppp_over_atm.html another example here http://www.ciscosystems.com/en/US/docs/ios/qos/configuration/guide/mlppp_over_atm_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1099238
... View more
01-29-2010
03:12 AM
tried it but the result is same no counter if I use policy-map TEST class class-default bandwidth 8 interface Virtual-Template1 bandwidth 256 ip unnumbered Loopback1 ip flow ingress load-interval 30 max-reserved-bandwidth 100 service-policy output TEST #sh policy-map int virtual-template 1 OR #sh policy-map int virtual-access 1 #sh policy-map int virtual-access 2 #sh policy-map int virtual-access 3
... View more
01-29-2010
02:12 AM
Thanks for your reply Giuseppe, yeah thats the thing, I thought it should appear under Virtual Access Interface but doesnt show up there either, following is the output from router sh ip int bri Interface IP-Address OK? Method Status Protocol ATM0 unassigned YES NVRAM up up ATM0.1 unassigned YES unset up up FastEthernet0 unassigned YES unset up up FastEthernet1 unassigned YES unset administratively down down FastEthernet2 unassigned YES unset administratively down down FastEthernet3 unassigned YES unset administratively down down Loopback1 x.x.x.x YES NVRAM up up Loopback10 x.x.x.x YES NVRAM up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset down down Virtual-Access3 x.x.x.x YES TFTP up up Virtual-Template1 x.x.x.x YES TFTP down down Vlan1 x.x.x.x YES NVRAM up up Router#sh policy-map interface virtual-access 1 Router#sh policy-map interface virtual-access 2 Router#sh policy-map interface virtual-access 3 Router#
... View more
01-28-2010
08:30 AM
Hi, I am trying to attach a service policy to Virtual-Template which is refrenced in PVC of ATM Interface, now according to documentation this service policy should work but I am not getting any output of that....here is configuration first and then the out of show command class-map match-any ce_mgmt_bundled_output match access-group 199 policy-map outbound class ce_mgmt_bundled_output police 8000 8000 8000 conform-action set-dscp-transmit 63 exceed-action set-dscp-transmit 63 violate-action set-dscp-transmit 63 bandwidth 8 random-detect random-detect exponential-weighting-constant 3 random-detect precedence 6 20 32 10 interface ATM0 bandwidth 256 no ip address load-interval 30 no atm ilmi-keepalive hold-queue 224 in ! interface ATM0.1 point-to-point bandwidth 256 pvc 0/38 vbr-nrt 248 248 tx-ring-limit 3 oam-pvc manage oam retry 3 3 10 encapsulation aal5mux ppp Virtual-Template1 max-reserved-bandwidth 100 interface Virtual-Template1 bandwidth 256 ip unnumbered Loopback1 ip flow ingress load-interval 30 max-reserved-bandwidth 100 service-policy output outbound ! Now when I use the following show command it doesnt show me any contents for service policy applied # sh policy-map int virtual-template 1 Virtual-Template1 Service-policy output: outbound Service policy content is displayed for cloned interfaces only such as vaccess and sessions any ideas??????
... View more
Labels:
03-29-2017
I have followed the guide on the link below to configure direct
authentication on ASA. HTTP part of ...
09-09-2016
Found answer myself, only certrain protocols are supported for
inspection and TFTP is not one of the...
Created by
malikyounas
in Network Security
09-09-2016
09-09-2016
I am testing the firepower (ver. 6.0.0.1-26) on ASA 5525X (9.5.3). I
have access control policy appl...
Created by
malikyounas
in Network Access Control
10-02-2013
10-02-2013
Yep that was the reason exactly. I had unintalled the patch and error
was still there, It went away ...
Created by
malikyounas
in Network Access Control
09-27-2013
09-27-2013
I have installed the latest path (5-4-0-46-4) on ACS Server and after
that I am getting following er...
03-30-2012
Well, you can do this in 8.0, give this a tryThese access list define
what to NATaccess-list outnat ...
03-19-2012
it will depend on what sort of entry you are going to add, if you add
just the detiantion IP, ASA wi...
03-19-2012
Hi,Its better defined in this cisco doc where it says you cant use
standard ACL as it only identifie...
03-19-2012
1. you just need to enter the same command without 'inactive' at the end
of it, do 'sh access-list' ...
Created by
malikyounas
in Routing
01-29-2010
01-29-2010
Here is one with uses policy map with virtual
templatehttp://www.cisco.com/en/US/docs/ios/qos/config...
Created by
malikyounas
in Routing
01-29-2010
01-29-2010
tried it but the result is same no counter if I usepolicy-map TEST class
class-default bandwidth 8in...
Created by
malikyounas
in Routing
01-29-2010
01-29-2010
Thanks for your reply Giuseppe, yeah thats the thing, I thought it
should appear under Virtual Acces...
Public Statistics
| Date Registered | 01-05-2009 04:22 AM |
| Date Last Visited | 03-03-2020 05:39 AM |
| Total Messages Posted | 14 |
| Total Helpful Votes Received | 4 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 5 | |
| 5 | |
| 5 | |
| 5 | |
| 5 |
