Cisco NetPro -

ASA url logging

Tue, 17 Nov 2009 08:19:52 PST

Hi, I'm attempting to make our ASA log urls and I am getting some success. However, the output presents the IP instead of the actual domain, e.g, when browsing to imdb it is logged as: Nov 16 2009 14:12:35: %ASA-5-304001: 30.30.30.30 Accessed URL 209.85.229.148:/ad j/imdb2.consumer.homepage/;tile=2;sz=468x60,728x90,1008x150,9x1;p=t;s=32;;ord=99 73051011677648 rather than imdb.com/....(or whatever it happens to be). How do I get the ASA to log the domain rather than the corresponding IP address? http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#related states the ASA has to run vers 8.0.4.24 or later, ours has 8.2(1). Thanks, Scott

ASA Interface Input errors - overrun

Tue, 17 Nov 2009 07:48:44 PST

Hello, Does anyone know why packets overrun are incrementing on the ASA even when I've only 40Mbps of throughput traffic? All interface are 1000-FullDuplex, both on ASA and on Catalyst3750. I've test the ASA5540 generating GET HTTP, about 40Mbit of traffic. When I use one ingress interface and one egress interface, interface input overrun counter is zero. When I use the same traffic with 3 ingress interfaces(slot0) and 3 egress interfaces(slot1), interface input overrun counter increase(60k overrun in only 2 minutes). Have someone some ideas? Thanks in advance Simone

source destination graphs on firewall

Tue, 17 Nov 2009 07:31:32 PST

Hi, Is there any way we could see the high communication flow between the src and dst on the ASA firewall in real time? we could see the top 10 sources and top 10 destinations but it didn't match the flow. Also top 10 seems to be a limication, is there any way we can see the top 100 sources / destination? Thanks

About ASA AIP-SSM Module

Tue, 17 Nov 2009 07:22:55 PST

Hi Recently one of my client says that he need to installed AIP-SSM or CSC-SSM module in his existing firewall. The current firewall is ASA-5510-SEC-BUN/K9 After previewing the datasheet i see client can only insert SSM-4GE card into the firewall. Is it possible to insert any AIP-SSM or CSC-SSM card into ASA5510-SEC-BUN-K9 ? Regards Hasan

ASA nat rules

Tue, 17 Nov 2009 06:16:21 PST

Hello, An ASA with inside, outside, DMZ1 and DMZ2 interfaces.(only DMZ are important here) - DMZ1 have 172.16.1.0/24 , security-level 40 - DMZ2 have 172.20.3.0/24 , security-level 75 and a web server at 172.20.3.8 If I want to let the users from DMZ1 to access the web server from DMZ2, do I need a NAT with real addresses 172.16.1.0/24 and translated addresses 172.20.3.0/24 ? thank u! thank u!

Forcing clinet to have certificate in 802.1x

Mon, 16 Nov 2009 23:53:46 PST

Hi! I have 802.1x with windows pki on wire with PEAP...i configure swithes to use MS IAS as radius... User from winxp authenticate regularwith user name and pass and user certificate.... Also same user can authenticate from linux machine even if the machine dont have certificate.... How to deny machines without certificates and in which point? I thing it would be IAS?

Can't login NAC web login page

Mon, 16 Nov 2009 22:52:39 PST

Dear Sir , I can't login user authentication web login page ,but login NAC agent OK.Could you help me to resolve it ? NAC CAM/CAS/Agent OS 4.7

NAC Agent issues

Mon, 16 Nov 2009 21:16:39 PST

Hi guys, We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?

NAC Guest Server - can't authenticate Radius client, DB error

Mon, 16 Nov 2009 20:48:54 PST

Hi, I'm currently evaluating the NGS latest v2.01 image with a fresh new installation. After initial installation, I created sponsor and guest account.My plan is to use a Cisco ASA as the Radius client with Cut-through authentication - Radius to simulate the final application which would be WLAN controller. Here's error message when I did "test aaa" command from ASA: ciscoasa# test aaa authentication CUT-AUTH host 172.16.1.110 username jsmith@abc.com password cisco123 INFO: Attempting Authentication test to IP address <172.16.1.110> (timeout: 12 seconds) ERROR: Authentication Rejected: Invalid password ciscoasa# I did double-checked the password no issue then looked at Server -> System logs -> Support logs -> Radius log @ NGS, it shows some repeating errors as followed: Mon Nov 16 14:04:16 2009 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Mon Nov 16 14:04:16 2009 : Info: rlm_sql (sql): Attempting to connect to postgres@localhost:/gapdb Mon Nov 16 14:04:16 2009 : Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server postgres@localhost:gapdb Mon Nov 16 14:04:16 2009 : Error: rlm_sql (sql): Failed to connect DB handle #0 Mon Nov 16 14:04:16 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 Mon Nov 16 14:04:16 2009 : Error: Failed to load clients from SQL. Mon Nov 16 14:04:16 2009 : Error: /etc/raddb/postgresql.conf[1]: Instantiation failed for module "sql" Mon Nov 16 14:04:16 2009 : Error: /etc/raddb/radiusd.conf[88]: Failed to find module "sql". Mon Nov 16 14:04:16 2009 : Error: /etc/raddb/radiusd.conf[87]: Errors parsing accounting section. Mon Nov 16 14:04:16 2009 : Error: Errors initializing modules Mon Nov 16 14:05:06 2009 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Mon Nov 16 14:05:06 2009 : Info: rlm_sql (sql): Attempting to connect to postgres@localhost:/gapdb Mon Nov 16 14:05:08 2009 : Info: Ready to process requests. Mon Nov 16 14:06:51 2009 : Info: Exiting normally. I guess something wrong with the NGS, but I don't see any errors during the installation. The Radius package of NGS 2.01 is FreeRADIUS 2.1.3.1, any ideas? Thanks

NAC SSL Certificates

Mon, 16 Nov 2009 17:57:29 PST

Hello there, I installed NAC and cutover to production env. without changing the perfigo root certificate. This is because i had no CA server. Now i've got a win 2003 Standalone root CA Server configured. What is the impact on requesting certificate from this CA and install it on the NAC server and Manager? regards, Stanslaus.

NAC L3 OOB VoIP

Mon, 16 Nov 2009 17:55:36 PST

I've configured a CAM and CAS as both L2 OOB and have enabled L3 support with Real IP. I have a remote site that uses Avaya 4610SW VoIP phones. Both the CAM and CAS reside locally with no CAS at the remote site. I'm able to get full functionality with VoIP phones and clients connected to the phones from a Layer 2 perspective, however when I try and get the remote office VoIP phone/client combo, it doesn't work. When I remove the phone and plug the client machine directly to the switchport, it works, so I'm sure the PBR and GRE configs are correct. From my readings, I know that you need to exclude the mac addresses of the phones, and when I have done testing from a Layer 2 perspective, it works without a problem. The problem that I am seeing is that the mac address of the phone is not being picked up by the NAC. I'm aware that mac addresses are stripped off for L3, but I have no idea how to get this to work. The profile has been set up to not bounce the port, mac address notification vs linkup/down, etc. Any ideas would be greatly appreciated. Thanks Jeff

NAC with servers

Mon, 16 Nov 2009 17:53:45 PST

Hi All, we are deploying NAC 3310. NAS is in OOB/RIP/L3. we have multiple servers in the network. all switch ports are controlled by NAC and initially they are in authentication VLAN. How can I filter server from not being inspected? our IT guys move cable connected to the servers to the different ports over time. But the problem is when the move cable from one port to another, new port is in authentication VLAN. is NAC automatically changing the VLAN when see server MAC address is in filter list? if not, what is the best solution for this scenario? any suggestion would be very appreciated. Alex

NAC error message

Mon, 16 Nov 2009 17:52:07 PST

Hi All, I have installed CAA in the PC by browsing NAC untrusted interface. everything worked fine. then I had to change switch IP address. but when I try to login to CAA, it sends old switch IP address. I've uninstalled and reinstalled CAA, the same error. even deleted from registry then reinstall CAA, same error: " OOB Error: switch with 10.1.1.1 (old IP) not found". any suggestion would be very appreciated. thanks Alex

How to manage large access-lists on FWSM

Mon, 16 Nov 2009 15:57:25 PST

Team I have a rather large access-list in one of my firewalls and was wondering if anyone has any rules of thumbs to go by when building a complex access lists. I currently use object groups but what is a good rule for acls with servers, users and diffent needs for access?

SSLmodule and Extended Validation certificate

Mon, 16 Nov 2009 13:36:07 PST

Hi I've been trying for some time to get this to work properly. The certificate is issued and I got two intermediate certificates, one primary and one secondary, from the CA. I've been trying I think a dozen times now, all certificates are installed OK but when I do a show "show ssl-proxy service NAME" only the server certificate and the tier2 certificate are OK. I use tier2 to authenticate the trustpoint for the server certificate by the way. Tier1 and the CA root are both installed as trustpoints without server certificates, they are only authenticated. The thing is that a "show ssl-proxy service NAME" show only one intermediate certificate and one root, and the root certificate shown is an old one I used in a previous config. My question now is how do I get the intermediates installed correctly? Regards Fredrik

Any Word On CSA 6.0 on 64 Bit Windows

Mon, 16 Nov 2009 13:08:22 PST

Does anyone know or have an idea as to when this will be supported?

How to disable Telnet on a switch

Mon, 16 Nov 2009 13:06:42 PST

I would like to disable Telnet on a Cisco 3560G switch. I have seen all over the web that the way to it is by: line vty 0 4 transport input ssh However, this doesn't work for me. SSH is not a valid transport on my switch. The only allowable transports are "All", "None" or "telnet". If I try SSH it gives the invalid input error. I'm assuming this is because SSH is defaulted on Catalyst switches, but how can I remove Telnet?

NAC OOB Web Login and CAS admin Page

Mon, 16 Nov 2009 08:03:57 PST

Folks, I need a help about a implementation that I am deploying and everthing ok but I saw that when the client access a Auth Vlan and receive the web login page, he can access the admin page of the CAS puting the url https:///admin and after your authentication he can not access anymore because there is a ACl for do this but I was wondering if there is any option to deny the client to access the admin page of the CAS. thanks a lot

CSD and Norton IS 17.x

Mon, 16 Nov 2009 07:57:21 PST

Currently using latest AnyConnect client along with latest Cisco Secure Desktop version. I have a simple posture check looking for presence of up-to-date AV client. Recently Symantec/Norton released an update to their Internet Security product bringing it up to version 17.x. Now CSD doesn't recognize Norton AV client correctly and the VPN client fails the posture check. How can I configure ASA DAP so that it recognizes Norton IS 17.x until Cisco releases an updated CSD version that will recognize this? Running a debug DAP trace on the ASA shows the following: endpoint.av["WmiAV"].exists="true"; endpoint.av["WmiAV"].description="Symantec unknown product"; endpoint.av["WmiAV"].version="17.0.0.136"; endpoint.av["WmiAV"].activescan="ok";

Irgent,NAC Module

Mon, 16 Nov 2009 07:08:19 PST

Hello all, please right now i'm installing NAC Module in router 2821 , but still the router don't see the module, please which command i execute to enable the module, my Router IOS is 12.4(25b) should be support the NAC module. please its irgent

NAC Port Frofile & Profiler Q

Mon, 16 Nov 2009 07:06:35 PST

Hello, 1.can i configure different port profile per switch?, i mean different Auth\Access vlan per switch. 2.can a profiler register with several distinct CAM's or i need profiler per CAM\pair of CAM's ? thanks

Can a virus get propagated over a L2L?

Mon, 16 Nov 2009 05:53:37 PST

Hello all, I have a question. I work at a hospital with about 500 PC’s. A much larger hospital (40,000 PC’s) wants me to setup a site-to-site VPN. My concern is this hospital got hit hard with the Confiker virus earlier in the year that took them a couple of weeks to get rid of, what is the chance that a virus will propagate over the site-to-site VPN and infect my PC’s? I'm sure they would want to do subnets instead of host ACLs. I have an ASA with the SSM module installed; will this inspect encrypted VPN traffic?

Protecting a Server

Mon, 16 Nov 2009 02:08:10 PST

Hi, Security Experts: I have a question regarding server security. How much value is there in restricting user access to only the TCP/UDP ports they need to communicate on and blocking access to any other open ports? The intuitive thing is to think that blocking the unused ports is a good general practice - best practice. But does that really prevent or even mitigate a hacker (user) from launching a DoS attack on the server on the TCP port that is supposed to be open? In other words, whether 20 ports are open or only one, does it really make a qualitative difference? What stops the hacker from launching, say, a TCP SYN attack on the open TCP port? In short, is there really much gained in blocking those other ports. I am looking for more than just a "general rule of thumb" answer becaue I know what that rule is already. I would like a more in-depth answer that specifically addresses the ability to disbale a server even if only one port is open. Thanks

ADSSO not starting due to ADSSO

Mon, 16 Nov 2009 00:21:10 PST

We have a core switch with FWSM. All the users Default gateway is FWSM. There is an access switch where the user is connected. The mode of deployment for NAC is L2 OOB VGW. The switch is added to the Nac. ADSSO is configured on the nac and the service is started. As soon as i restart the PC, it is not able to contact DC while all the ports are opened to DC. No agent Popup appears. It does not show any keys in Kerbtray. The sequence is Since the client username and pass has been cached local so it is able to logon. The client gets an ip address from the DHCP and it is in authentication vlan which is 110.Now there is no agent coming up unless i do the below when i do arp -a in cmd it shows me invalid mac address of the Default GW. Now if i add a static mac address on the client PC, Popup immediately occurs. OR if a do a ping from the FWSM which is the Default GW then the pop up immediately occurs. I capture the packet through ethereal and noticed that the client is sending arp request but it is not receiving any reply. The capture is also attached. Note that 192.168.3.1 is the gateway and 192.168.3.3 is the client. FWSM version is 3.1(4) working in FO. What do you suggest ? Attachment Keywords : 1) CiscoSupportReport.zip 2) capture 1

csmars issue

Fri, 13 Nov 2009 06:38:33 PST

Hi all i am trying to add a 6509 switch which contain FWSM and IDSM module.But when i tried to add module it shows only IPS options in the dropdown of Device type and no fwsm version.please tell me how can i find fwsm versions also in the device type

ASA 5510 arp table!!!! HELP

Fri, 13 Nov 2009 00:32:15 PST

Hi guys Anyone know the OID for getting the ARP table from an ASA 5510? I cant seem to find it any where. Mikkel

Netflow analyzer recommendations

Thu, 12 Nov 2009 13:15:04 PST

I am trying to clean up the access-lists in an ASA firewall. Due to the amount of traffic that goes though it, I have been having trouble getting a list of traffic that is actually travelling though the ASA. I have been looking at the new Netflow feature of the ASA and it looks like this would be a big help. Does anybody have any experience with any Netflow Analyzers with the ASA? A perfect solution would allow me to export a summary of all non-established traffic.

what is the defference between hashing and encryption

Thu, 12 Nov 2009 09:08:23 PST

dear expers, i'd like to know the defference between the hashing functions and encryption functions, which one performed first on the data, because i've read some of the protocols that perform hashing and others that perform encryption and very confused by them, thanks alot for your reply and help, i appreciate your urgent reply. thanks...

NAC and VmWare

Thu, 12 Nov 2009 07:49:51 PST

Anyone run NAC in a Vmware session? What are the settings for VMWare?

NAC 4.7 issue

Thu, 12 Nov 2009 07:40:28 PST

Dear Sir , If I upgrade NAC to version 4.7 from 4.1.3 ,do I need regenerate Certificate for client to CAS from windows CA server ?