Configuration of RADIUS and accounting AAA + PIX-515E

Dear All;

I want to put the accounting of PIX.

Here is the composition of the equipment.

ACS SE: 4.1.1.23.5

PIX 515E: 7.0 (6)

PIX of setting is as follows.

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + host xx.xx.xx.xx

key xxxxx

order of accounting AAA GANYMEDE +.

Console telnet accounting AAA GANYMEDE +.

Thus, the configuration setting was written in ACS.

But the user name is enable_15. (attached 1.jpg)

Is it a restriction?

Kind regards

Reiji

Hi Marilou,

Looks like we have the authority to command configured on the pix. You must enable authentication configured on the RADIUS server then only we would get username is accounting, unlike pix Device IOS doesn't send user name to the RADIUS server, he would send enable_15 as username for all users.

Configure the following command to make it work.

AAA authentication enable console LOCAL + Ganymede

HTH

-Philou

Tags: Cisco Security

Similar Questions

Using PIX 515E configuration require

Dear all,

Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest?

Pls. find the details following and configuration of VLAN attached router.

# I want to put as

«Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP.

# Now it's

"My LAN on CISCO 2900 - VLAN (external) router - ISP.

Details of router & PIX:

#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

VLAN router Config:

Current configuration: 1028 bytes

!

version 12.3

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname VLANRouter

!

boot-start-marker

boot-end-marker

!

activate the gcsroot password

!

No aaa new-model

IP subnet zero

!

!

no record of conflict ip dhcp

DHCP excluded-address IP 172.16.29.1 172.16.29.240

DHCP excluded-address IP 172.16.29.250 172.16.29.254

!

IP dhcp pool dhcppool

network 172.16.29.0 255.255.255.0

DNS-server 208.144.230.1 208.144.230.2

router by default - 172.16.29.1

!

!

!

!

controller E1 0/0

!

controller E1 0/1

!

!

interface FastEthernet0/0

IP 208.144.230.197 255.255.255.224

NAT outside IP

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 172.16.29.1 255.255.255.0

IP nat inside

automatic duplex

automatic speed

!

IP nat inside source list 7 interface FastEthernet0/0 overload

IP http server

IP classless

IP route 0.0.0.0 0.0.0.0 208.144.230.200

!

!

access-list 7 permit 172.16.29.0 0.0.0.255

!

Line con 0

line to 0

line vty 0 4

opening of session

!

!

!

end

All advice is appreciated.

Kind regards

Hiren s Mehta.

ORG Informatics Ltd.

Bamako, MALI

AFRICA

Hi hiren,.

See the answers below:

#Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router.

Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed.

#PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even...

#PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.

Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

didn't get it... is that on the internet router or switch?

#I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)...

PIX 515E and remote access VPN

I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

Any help is appreciated,

Hello

Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

PIX 515E configuration problems

I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only

-I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.

-J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.

Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?

Thanks for your replies.

Hello

Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.

Jay

IPSEC VPN between Pix 515E and 1841 router

Hi all

BACKGROUND

We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.

PROBLEM

The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.

Any help much appreciated.

You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.

As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.

For a feature, it would be preferable to static IP addresses on both sides.

PIX 515E - VPN connections

Hello

I have pix 515E and I configured a VPN on it. My users connect to my network from the internet via the Cisco VPN client.

I have problem, only their LAN machine can do VPN from Cisco VPN client to my network at once.

Users are connected to the internet via an ADSL router and the LAN switch.

--------------------------------------------------

PIX Config:

6.3 (4) version PIX

interface ethernet0 car

Auto interface ethernet1

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable encrypted password xxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxx encrypted passwd

hostname ABCDEFGH

ABCD.com domain name

clock timezone IS - 5

clock to summer time EDT recurring

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

inside_out to the list of allowed access nat0_acl ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

list of allowed shared access ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside xxx.xxx.xxx.xxx 255.255.255.0

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool vpnpool 192.168.2.1 - 192.168.2.254

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 0-list of access inside_out-nat0_acl

NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server RADIUS (inside) host ABCDE timeout 10

AAA-server local LOCAL Protocol

RADIUS protocol radius AAA-server

Radius max-failed-attempts 3 AAA-server

AAA-radius deadtime 10 Server

RADIUS protocol AAA-server partnerauth

AAA-server partnerauth max-failed-attempts 3

AAA-server deadtime 10 partnerauth

partnerauth AAA-server (host ABCDEFG myvpn1 timeout 10 Interior)

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

card crypto client outside_map of authentication partnerauth

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

ISAKMP identity address

part of pre authentication ISAKMP policy 8

ISAKMP strategy 8 3des encryption

ISAKMP strategy 8 md5 hash

8 2 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup myvpn address vpnpool pool

vpngroup myvpn ABCDE dns server

vpngroup myvpn by default-field ABCD.com

splitting myvpn vpngroup split tunnel

vpngroup idle 1800 myvpn-time

vpngroup myvpn password *.

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.1.200 - 192.168.1.254 inside

dhcpd dns ABCDE

dhcpd lease 3600

dhcpd ping_timeout 750

field of dhcpd ABCD.com

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

--------------------------------------------------

Thanks in advance.

-Amit

Try to add the "isakmp nat-traversal" command to your PIX. I suspect what happens is that Remote LAN users is translated to a single IP address as they pass through the DSL connection. I also assume that the machine doing the translation has a capacity of IPSec passthrough. Linksys routers would be a good example of this type of NAT device that allows IPSec pull-out.

If that's the case, that a single VPN connection will be able to operate both. The above command will turn PIX detect clients that are located behind a NAT device, and then try to configure the VPN sessions in UDP packets and so to work around the limitation of NAT and IPSec passthrough device.

PIX 515E config help

I am a new user and I'm trying to configure a PIX 515e Ver 6.3 (3). How can I give my users inside access to my webfarm located on dmz1. I am able to access the test sites inside and outside dzm1. I can't access the Web inside dmz1 sites. Here is my current config:

6.3 (3) version PIX

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

Automatic stop of interface ethernet3

Automatic stop of interface ethernet4

Automatic stop of interface ethernet5

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 dmz1 security50

nameif ethernet3 intf3 securite6

nameif ethernet4 intf4 security8

ethernet5 intf5 security10 nameif

enable password xxxx

passwd xxxx

hostname pix1

apprendrefacile.com domain name

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

aetest name 10.10.10.1

name 10.10.10.2 aetest1

name 13.13.13.3 aetestdmz

name 13.13.13.4 aetestdmz1

access-list from-out-to allow tcp any any eq www

pager lines 24

opening of session

debug logging in buffered memory

Outside 1500 MTU

Within 1500 MTU

dmz1 MTU 1500

intf3 MTU 1500

intf4 MTU 1500

intf5 MTU 1500

IP address outside the 12.x.x.x.255.255.0

IP address inside 10.10.10.2 255.255.255.0

IP address dmz1 13.x.x.x.255.255.0

No intf3 ip address

No intf4 ip address

No intf5 ip address

alarm action IP verification of information

alarm action attack IP audit

no failover

failover timeout 0:00:00

failover poll 15

No IP failover outdoors

No IP failover inside

no failover ip address dmz1

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

history of PDM activate

ARP timeout 14400

public static 12.12.12.15 (inside, outside) aetest netmask 255.255.255.255 0 0

public static 12.12.12.16 (inside, outside) aetest1 netmask 255.255.255.255 0 0

(dmz1, external) 12.12.12.17 static aetestdmz netmask 255.255.255.255 0 0

(dmz1, external) 12.12.12.18 static aetestdmz1 netmask 255.255.255.255 0 0

Access-group from-out-to external interface

Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 10.10.10.207 255.255.255.255 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Telnet 10.10.10.0 255.255.255.0 inside

Telnet timeout 20

SSH timeout 5

Console timeout 0

Terminal width 80

Cryptochecksum:XXXXX

: end

Thank you... Jay

with pix v6.x, nat/global or static is a must do before the pix will start to transfer packets between two interfaces.

the current static instructions do not cover the translation between the inside and the dmz. as the traffic between pix inside the net and dmz is private, I suggest you to set up no. - nat between the two.

for example

static (inside, dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

clear xlate

in the above example, pix inside the host must be able to access the dmz Server pointing to the private ip address of dmz Web server.

If you prefer the pix inside the host to access the dmz by name server, then "alias" command should be applied.

for example

alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255

the need for the command "alias" is due to the fact that when pix inside the host tries to access the server dmz by name, the public dns will point to the public IP address of the dmz Web server. now, as the static electricity created for the dmz Web server is directional i.e. public ip will be accessible from the outside, not the pix inside the net. so the 'alias' command will allow the PIX to manipulate the dns response and point the name to the private ip of Web server dmz for the pix inside the host.

Cisco VPN Client Authentication - PIX 515E-UR

Hi all

I need your expert help on the following issues I have:

1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.

2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?

3 can. what command I use to debug RADIUS authentication?

Thanks in advance for your help.

Hi vincent,.

(1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication

(2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...

(3) use the "RADIUS session debug" or "debug aaa authentication..."

I hope this helps... all the best... the rate of responses if found useful

REDA

ACS - ASA authorization and accounting

Hello

I have a few questions about the authorization and accounting on the ASA via an ACS server
1. When I activate the command 'aaa authorization command' users of SSH commands I get locked on console then I have to configure the console, telnet and allow to be authenticated via Ganymede too, is it possible to allow SSH via Ganymede while keeping the Console and telnet authenticated locally or not even no authentication?
2. I visited command 'aaa accounting TAC' accountant on ASA, but I noticed that GBA records just mod configuration commands ' focus on in 15 "not show all command or privilege 1, is possible to fix this?"»
3. RADIUS supports authorized SHELL?
Thank you for your support

1.] Unfortunately, it is currently not possible to exclude the command authorization serial number / console or ssh to users while having it apply to other methods of access in the case of ASA. Once you run this command, it would be applicable to all methods such as ssh, telnet, http, enable and console. This can be easily achieved by IOS (routers and switches) by creating a list of method.

2.] when configuring the aaa accounting command , each other than display command command commands entered by an administrator is recorded and sent to accounts or servers. This is a default behavior on the SAA. IOS send/check orders show on ACS/Ganymede.

http://www.Cisco.com/en/us/docs/security/ASA/asa81/command/ref/A1.html

Kind regards

Jousset

The rate of useful messages-

Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?

I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?

Yes, you can use both. Allows you to add ASA as radius and Ganymede.

ACS-->---> aaa-client network configuration

(1) ASA---> 1.1.1.1---> authentic using Ganymede

(2) ASA1---> 1.1.1.1---> optout by radius

Don't forget the host name cannot be the same.

Kind regards

~ JG

Note the useful messages

4240 IPS blocking queries with Pix 515E

I have activated the lock on the 4240 and put locking as our Pix 515E. When I look at the Configurations of Signature quite a few Signature Actions are set to alert only produce. If blocking is enabled you also go and the Actions of signing the Deny value or TCP Reset? So far my attackers show dosen't IPS refused and he detected the high level of traffic which I assume must now be blocked. Thanks John

Yes, go under the signatures that you want and enable blocking for them as an action. Globally blocking configuration (setting the blocking device, the interface, the connection of the device information, etc.), does not actually blocked on the sensor itself, we must still go and activate the blocking of this particular signature. When this particular GIS fires in the future, the sensor it will block on the device that you configured.

Be very careful with blocking, the reason that we're not blocking simply all the signatures, it is that it would be very dangerous to blindly add access lists to a device that will stop traffic. You must first make sure that you don't get any number of false positives on the signatures and end up blocking valid traffic. In addition, on a busy sensor you could easily overrun detector and locking to writing and deleting 1000's of top access lists. And finally, although probably not, blocking can even be used as an attack denial of service, where an attacker, if they know what signatures you block, can usurp packages past your sensor so that it denies traffic to our legitimate guests.

You have to look at what signatures you really want to block, and then enable blocking on them individually.

Accounting on PIX

Hello

Guyz, I'm implementing ONLY Accountants on PIX. The main puprose is only to enter orders/changes on pix by our users. But I am unable to find any sort of configuration that do. I tried to capture Telnet on the local interface, but it never works for PIX commands logging. Any body can help here?

Accounting of order are entered in the PIX in the v7.0 recently released, so if you do not run that so forget trying to find anywhere.

After the upgrade to v7.0 see the following link:

http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_70/cref_txt/AB.htm#wp1329971

For the record, software v7.0 is available here (be sure to read and understand the upgrade guide before proceeding with the upgrade):

http://www.Cisco.com/cgi-bin/tablebuild.pl/PIX

PIX 515E failover

I have a pair of PIX 515E (6.3) running in failover mode. They are currently connected to a single chassis base. We are upgrading our network with the heart, dual 6500's. Is there a way to connect each PIX to a separate kernel (1 PIX - Core1, PIX 2 - Core2) to allow a failure of the base?

Core 1 and Core 2 will have a L2 link between them. If the current active PIX is connected to Core1 and Core 1 dies, this would not lead to support PIX failover. All LAN traffic would go through Core 2, but since he does not have an active path to the active PIX 1, traffic would drop. My reasoning is correct?

Is there a way to connect the PIX to two cores running V6.3?

Hello

If you use the cable-based failover, you can change the basis of LAN failover.

Read http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1024836

I hope this helps.

Best regards.

Massimiliano.

Cisco VPN Client behind PIX 515E,-> VPN concentrator

I'm trying to configure a client as follows:

The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

RADIUS and Ganymede + running simultaneously?

I have a Secure ACS 5.3.40 running GANYMEDE + and I need to also run 802.1 x radius to meet DISA requirements, I've been working on it for a week. I am unable to get the characteristics of work, all AD connections are already there for GANYMEDE + and so I'm not sure how config, Ray can someone help with the procedures.

Hello

in the configuration of the aaa you must specify the two authentication 802. 1 x that points to the RADIUS and peripheral administration of Ganymede.

Configuration of the network device ACS apply both radius and Ganymede keys.

There will be no conflict for the same as the two have different sets of commands.

Thank you

Please rate if useful...

Configuration of RADIUS and accounting AAA + PIX-515E

Similar Questions

Maybe you are looking for