allowing permission aaa on pix / asa
I managed to get authentication on easy enough but now finds it difficult to get permission to work properly. I auth/author enabled for my IOS stuff so any connected Tech will have rights based on what I give them about secure ACS. However, I can't the same thing to work on the code of PIX. I can connect fine with sign aa, but still, he invites me to the enable password. End result is that I want to be able to connect only once (and active). The white papers that can tell me the right way?
Hello
What you want to do, it is possible, try following the instructions in the attached PDF file.
And you want to give access ASDM, then make sure that you leave Assistance user privilege to execute all display orders, i.e. show-(check) permit unmatched arguments.
Let me know.
Kind regards
Prem
Tags: Cisco Security
Similar Questions
-
PIX, ASA, and RSA SecureID
Hi all
I replaced our old Pix 515 for a new ASA 5520.
On the Pix (running ios 6.x) we have configured the pix to use an RSA SecurID appliance AAA server to authenticate remote VPN clients. To do this, we set up a group AAA using the radius Protocol. Now, for the SAA, I found documentation indicating that I need to create a group AAA that uses the SDI Protocol.
Now my questions are
(1) can I still use the RADIUS Protocol on the SAA is to authenticate with RSA SecureID, or what I have to use SDI?
(2) if I have to use SDI does mean I also have to change the configuration on my RSA I used to authenticate users of the PIX?
Kind regards
Screech
Hi little Duke
(1) you can still use the RADIUS.
(2) Yes, you would need to allow auth requests come from ASA
Roman
-
A reason any AAA limited in ASA 16 groups of servers?
I wonder why there is a limit on all Cisco ASA models when it comes to limit the number of AAA server groups to only 16? I guess it shouldn't be that difficult allow the BONE to the ASA allow several groups of AAA servers and servers by device? Is this just because of marketing reasons or what? :)
Oscar
An enhancement request has been made to increase this value.
If you open a tac case and ask that it be attached to the bug:
CSCsh23977 Capacity of more than 15 groups of servers AAA on the SAA
This will put more weight on this improvement and it is more likely to be processed quickly.
That should help with your problem.
-
Silverlight.Configuration.exe
When I click on before sending a message, I get a screen 'Silverlight.Configuration.exe' with an allow / do not allow permission. I am also warned that it is outside
My protection. Recently started to receive emails of some of my address book to stop sending advertisements. (which I did anyway)
What is happening and is involved with Silverlight, you have an idea?
Hello
. What mail client do you use?
. When was the last time it was working fine?
. What antivirus software you use in your system?
. Did you do recent changes with the hardware or the software before the show?
Method 1: A clean boot helps eliminate software conflicts. Visit the link to learn how to perform a clean boot: http://support.microsoft.com/kb/929135
Note: once the troubleshooting is complete, reset the computer to start as usual.
Method 2: Also uninstall and reinstall Silverlight and check if it helps:
http://www.Microsoft.com/getSilverlight/get-started/install/uninstall-win.aspx
-
User of the restrictions-pix/asa
PIX / asa, I created the user with the privilege level, how I can restrcit the depending on the level of privilege.
privilege level example 10 they can't enter config mode.
advise the pl
Thank you
Knockaert
Hello
You must enable local command authorization to do so. See this link to enable local and configuration authorization steps.
http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/mgaccess.html#wp1042039
-
PIX - ASA, allow RA VPN clients to access servers at remote sites
I got L2L tunnels set up for a couple of remote sites (PIX) for several months now. We have a VPN concentrator, which will go EOL soon, so I'm working on moving our existing customers of RA our ASA. I have a problem, allowing RA clients access to a server to one of our remote sites. PIX and ASA (main site) relevant config is shown below. The error I get on the remote PIX when you try a ping on the VPN client is:
Group = 204.14. *. *, IP = 204.14. *. * cheque card static Crypto Card = outside_map, seq = 40, ACL does not proxy IDs src:172.16.200.0 dst: 172.16.26.0
The config:
Hand ASA config
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.1.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.22.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.200.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.200.0 255.255.255.0
access extensive list ip 172.16.0.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.1.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.22.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.200.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
card crypto outside_map 60 match address outside_cryptomap_60
outside_map 60 set crypto map peer 24.97. *. *
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
=========================================
Remote config PIX
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.1.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.22.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.200.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.1.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.22.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.200.0 255.255.255.0
card crypto outside_map 60 match address outside_cryptomap_60
peer set card crypto outside_map 60 204.14. *. *
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
outside_map interface card crypto outside
EDIT: Guess, I might add, remote site is 172.16.26.0/24 VLAN VPN is 172.16.200.0/24...
What you want to do is 'tunnelall', which is not split tunneling. This will still allow customers to join the main and remote site, but not allow them to access internet... unless you have expressly authorized to make a 'nat (outside)"or something. Your journey on the client will be, Secured route 0.0.0.0 0.0.0.0
attributes of group policy
Split-tunnel-policy tunnelall
Who is your current config, I don't see where the acl of walton is attributed to what to split tunnel?
-
I've implemented authentication and authorization on the PIX. Authentication works, but omits the authorization. I'm trying to debug nothing appears (on PIX or ACS), but it does if debug authentication
Make sure you have enable authentication,.
authentication AAA ssh console LOCAL GANYMEDE
Console Telnet AAA authentication RADIUS LOCAL
Console to enable AAA authentication RADIUS LOCAL
GANYMEDE LOCAL AAA authorization command
Incase it does not work pls get aaa config
Kind regards
~ JG
Note the useful messages
-
Allow Exchange (SMTP) server by ASA 8.2 (5)
Please help me! Tomorrow, I have to go on a customer site and configure the firewall to allow traffic from the server through it.
I am CCIE Routing & switching certified. But did not have enough hands with the ASA.
Here is the configuration of the firewall running
QLC-11-FW-1 # sh run
: Saved
:
ASA Version 8.2 (5)
!
QLC-11-FW-1 hostname
activate 42Vosoeb.xpDtu0m encrypted password
42Vosoeb.xpDtu0m encrypted passwd
names of
name 10.10.128.0 comments
name 10.10.129.0 Guest_Wirless
name 10.10.0.0 Internal_Networks
!
interface Ethernet0/0
Description ' connection to BB-1-Gi2/5 ".
nameif outside
Security 0
IP 10.10.102.254 255.255.255.0
!
interface Ethernet0/1
Description ' connection to the BB-1-Gi2/3 ".
nameif inside
security-level 100
IP 10.10.101.254 255.255.255.0
!
interface Ethernet0/2
Description ' connection to the BB-1-Gi2/7 "»
nameif DMZ
security-level 50
IP 10.10.103.254 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
object-group network invited
The object-network 255.255.255.0 comments
object-network Guest_Wirless 255.255.255.0
object-group service Guest_services
the purpose of the echo icmp message service
response to echo icmp service object
the purpose of the service tcp eq www
the eq https tcp service object
the eq field udp service object
splitTunnelAcl standard access list allow Internal_Networks 255.255.0.0
outside_in list extended access permit icmp any one
ips_traffic of access allowed any ip an extended list
inside_access_in list extended access allow object-group objects invited to a Guest_services-group
inside_access_in list extended access deny ip object-group invited all
inside_access_in list extended access permitted ip Internal_Networks 255.255.0.0 everything
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
IP local pool ra_users 10.10.104.10 - 10.10.104.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Access-group outside_in in external interface
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 10.10.102.250 1
Route inside Internal_Networks 255.255.0.0 10.10.101.10 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
Enable http server
http 192.168.1.0 255.255.255.0 management
http Internal_Networks 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set distance esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map ra_dynamic 10 set transform-set remote control
map ra 10-isakmp ipsec crypto dynamic ra_dynamic
ra outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH Internal_Networks 255.255.0.0 inside
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GP group policy
GP group policy attributes
value of server DNS 212.77.192.60
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splitTunnelAcl
username admin privilege 15 encrypted password gXmhyPjHxCEshixG
ahmed vDClM3sGVs2igaOA encrypted password username
type tunnel-group GP remote access
attributes global-tunnel-group GP
address ra_users pool
Group Policy - by default-GP
tunnel-group GP ipsec-attributes
pre-shared key *.
!
class-map ips_traffic_class
corresponds to the ips_traffic access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
class ips_traffic_class
IPS inline help
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:57e5e9b117c38869a93a645f88309571
: endThank you
So I don't see any configuration nat here, so I guess it's either a private wan or you have a router upstream do nat? If no Nat is required on the SAA so it should be as simple as
outside_in list extended access permit tcp any host mail server eq smtp
-
I have a PIX with the following configuration:
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5
RADIUS Protocol RADIUS AAA server
AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10
AAA-server local LOCAL Protocol
AAA authentication GANYMEDE serial console +.
AAA authentication enable console GANYMEDE +.
order of AAA for authorization GANYMEDE +.
AAA accounting correspond to aaa_acl inside RADIUS
Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?
There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.
-
AAA ACS RADIUS ASA administrative access
We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.
Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.
Installation on the ASA:
RADIUS protocol Server AAA rad-group1
AAA-server host of rad-Group1 (inside_pd) rad-server-1
key *.
AAA-server host of rad-Group1 (inside_pd) rad-Server-2
key *.
authentication AAA ssh console LOCAL rad-group1
AAA authentication telnet console LOCAL rad-group1
HTTP authentication AAA console LOCAL rad-group1
AAA authorization exec-authentication serverHave you tried pushing various combinations of these attributes of the ACS:
Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
Value of RADIUS-IETF Service-Type = administrative (6)
Cisco-av-pair value = "" shell: priv-lvl = 15 ""Hi Phil,
You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.
-
AAA for PIX 7.2 (2)
Hello
Im having a problem on my PIX 7.2 newly upgraded (2). It seems that my authentication does not work. It maintains authenticate using my local user name not on my ACS. Here is my config
AAA-sever GANYMEDE + Protocol Ganymede +.
AAA-server GANYMEDE + (inside) host 172.x.x.x key
AAA authentication enable console LOCAL + GANYMEDE
ACS config:
AAA client: Add IP
Key to the AAA: even with PIX
Please help me.
Thank you
Jong
The reason for the authentication of the AAA to failure can be one of the following conditions:
(1) authentication key shift
User 2 password incompatibility).
(3) error in the configuration
Check if the keys are configured correctly on the device and also, username and passwords.
For more information, please visit the following url:
http://www.Cisco.com/en/us/docs/security/PIX/pix72/release/notes/pixrn722.html#wp201347
-
Hi guys,.
How do enable you ssh on pix and asa. I enter the following command, but it did not work. Someone told me before that you have to couple of order entry to activate ssh. Could someone help me please.
SSH 10.150.X.X 255.255.255.255 inside
TKS
Hello Kuldeep,
First of all, of all the needs of the ASA/PIX to have a domain already defined:
Something like:
domain name "yourdomain.com".
You need to file for SSH RSA keys to work:
the encryption key generate rsa keys general module 1024
(The bit length could be 512, 768,1024 or 2 048)
The ASA said that there is already an existing key so if you want to remove it... say Yes.
Then do a wr mem and try to SSH to the device.
Of course, the commands you have entered first are needed after that too.
It could be that useful...
DL.
-
AAA 'Broken' between ASA 5505 and MS - AD
I have my MS - AD for the VPN domain controller installation connection my ASA5505 AAA (SSL and client). He worked, however, the failure of the connection between the two last week and I can't back up again.
I checked the password, usernames, locations of object etc., but to no avail. When I do a test auth, it's 225 ldap debug output:
Starting a session [722]
[722] New request Session, framework 0xd4e225c8, reqType = 1
[722] fiber began
[722] LDAP context with uri = ldap://w.x.y.z:389
[722] to connect to the LDAP server: ldap://w.x.y.z:389, status = success
[722] supportedLDAPVersion: value = 3
[722] supportedLDAPVersion: value = 2
[722] binding as admin
[722] authentication Simple running to FirewallTest to w.x.y.z.
[722] simple authentication for FirewallTest returned the code of invalid credentials (49)
[722] impossible to link the administrator returned code-(1) can't contact the LDAP server
[722] output fiber Tx = 253 bytes of Rx = 583 bytes, status =-2
End of session [722]
I tried the fix 'remove and re-add' secular, but it did not work.
Any thoughts?
Have you checked the user account used to bind to the LDAP (AD) has not change its privileges, I remember that after application of a fix to an ad server most of the Admin accounts have been changed in local admin rather than domain administrator accounts.
Also, try to reset the password for this account and see if you have the correct connection-dn, get the "dsquery user-name"and compare it to your ASA.»
-
What permits are required to allow IPSec using 8.4 ASA?
In my lab, I built a tunnel between two ASAs IPsec successfully. There is a router in the middle to simulate the internet.
The tunnel only works when I have let echo ICMP message.
Allowing ICMP 3.4 does not appear to matter.
I did not allow for ESP or udp 4500 and udp 500 in the access list, only to echo ICMP message. They are now allowed by default?
Which contradicts what I've read in textbooks.
Can someone tell me what are the allowances by default for v8.4 and above? and what I leave in my ACL?
Thank you.
You are welcome.
You have to have a football game on the crypto ACL to trigger the tunnel, icmp, or whatever, but not necessarily the icmp traffic, example:
Cess-list allowed extended VPN ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
or
list of access VPN extended permitted tcp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
or
extended VPN access list allow icmp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0Basically all traffic matching would establish the tunnel.
If you still not clear, thanks for posting your ACL crypto for review.
Kind regards
Aref
-
Remove the aaa in pix server configuration
I have pix 515 with version 6.x cisco and me configured RADIUS vpn connection client authenitcation. The radius server is windows 2003 and I have the following commands
RADIUS protocol AAA-server test
AAA-server test (inside) host x.x.x.x1 password timeout 10.
The vpn works great, now I want to change the radius server and I want to delete the order and add new, but I get errors of
When I give
clear the aaa-server test, Iget an error message
You must remove all corresponding entries before AAA
removing the last server in the test group
When I give
No server aaa test (inside) host x.x.x.x1 password timeout 10. I get
You must remove all corresponding entries before AAA
removing the last server in the test group
When I give
no RADIUS protocol aaa-server test I get
AAA servers configured! Cannot delete server_tag.
I'm in a loop. Can some one adivce me how to remove the aaa tag test the firewall server
Thanks in advance
you are probably still referencing it in the vpn setting somewhere.
for example
card crypto mymap TEST client authentication
You must remove this first
Maybe you are looking for
-
PLS WHAT DO I DO
-
How do I turn them from the vertical to the horizontal when I turn iPhone 5 c
When I turn my iPhone 5 c from vertical to horizontal and vice versa, the image don't move vertically. What should I do to get this install please?
-
This application is not configured properly, maybe you should try to reinstall
This application is not configured properly, maybe you should try to reinstall. He says this even if it was just installed, or was not yet installed. How can I fix it? His allusion to a Bethesda game. But I think that the issue is much more than that
-
Perm disable touchpad on Pavilion product number E4W31UA #ABA w/windows
This new portable computer touchpad has no no the divit in the upper left corner of the touchpad to turn it off and it drives me crazy! I just need to turn it off and stay off! I can't go to the mouse and turn it off, but I can't seem to stay off.
-
Hi guys. I am looking for the way BB power saving mode. Is it possible to use the built in blackberry power save mode? If so, how to use? Thanks in advance.