CSA on servers in the DMZ

Hello

I'll install csa agent on servers of DMZ. Since there is no access to the Management Center in the DMZ, access is not permitted from internal dmz, only MC (internal) can access servers. I know that the CSA can record events on the computer, the MC will be able to get back them?

Except for a hint of polling sending, the MC is not initialize the connection for update of policy officers and events download. Agents are configured with a polling interval (default is 10 minutes), the Agent makes the connection with the MC via port 5401, and if it is not available try 443.

For your Agents work correctly with the MC, your DMZ must allow your dmz servers to connect to your internal port 5401 or 443 MC (I prefer 443).

Just add an ACL on your firewall so that the dmz servers can connect to only this server MC. Then you can create a rule to network access control so only the Cisco Security Agent can access the IP address of the MC on port 443.

In this way even if the attacker has exceeded all the other rules of the csa and used the server dmz as a breakpoint for more attack, they must kill the agent first, before they could get to the MC. And if that wasn't enough, you can create a rule of access control data to the Agent installed on the MC itself, which will send you an email if the root of the https:// is accessible.

Tags: Cisco Security

Similar Questions

  • To access the servers in the DMZ

    People:

    I have a PIX 515E and I need to access a SQL Server that is inside the network... I don't know if I should activate NAT on the demilitarized zone to be able to 'see' the servers inside...

    I tried a

    > static (dmz, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

    to activate servers on the DMZ for access within the network without translation... but I can't create a static to a low security to a high security interface...

    I wonder if anyone has the same configuration problem?

    should I try to activate NAT on the DMZ also?

    It's my current setup!

    Thank you very much!

    Luis

    -------------------------------------------

    PIX Version 6.1 (2)

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif dmz security10 ethernet2

    access-list 100 permit tcp any host 200.200.200.37 eq smtp

    access-list 100 permit tcp any host 200.200.200.37 eq pop3

    access list 100 permit tcp any host 200.200.200.37 EQ field

    access-list 100 permit udp any host 200.200.200.37 EQ field

    access-list 100 permit tcp any host 200.200.200.35 eq www

    access-list 100 permit tcp any host 200.200.200.35 eq 443

    access-list 100 permit tcp any host 200.200.200.36 eq www

    access-list 100 permit tcp any host 200.200.200.36 eq 443

    access-list 100 permit icmp any one

    access-list 100 permit tcp any host 200.200.200.35 eq ftp

    access-list 100 permit tcp any host 200.200.200.36 eq ftp

    access-list 100 permit tcp any host 200.200.200.36 eq 3389

    access-list 100 permit tcp any host 200.200.200.35 eq 3389

    access list 100 permit tcp any host 200.200.200.36 EQ field

    access-list 100 permit udp any host 200.200.200.36 EQ field

    access-list 100 permit tcp any host 200.200.200.38 eq www

    access-list 100 permit tcp any host 200.200.200.38 eq 443

    access-list 100 permit tcp any host 200.200.200.38 eq 3389

    access-list 100 permit tcp any host 200.200.200.37 eq www

    access-list 100 permit tcp any host 200.200.200.38 eq 1547

    access-list 100 permit tcp any host 200.200.200.39 eq 3389

    access-list 100 permit tcp any host 200.200.200.39 eq ftp

    access-list 100 permit tcp any host 200.200.200.39 eq 1433

    IP outdoor 200.200.200.34 255.255.255.224

    IP address inside 192.168.1.1 255.255.255.0

    IP dmz 192.168.2.1 255.255.255.0

    Global (outside) 1 200.200.200.45 - 200.200.200.61 netmask 255.255.255.224

    Global (outside) 1 200.200.200.62 netmask 255.255.255.224

    NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

    alias (inside) 192.168.1.2 200.200.200.38 255.255.255.255

    alias (inside) 200.200.200.36 192.168.2.11 255.255.255.255

    alias (inside) 200.200.200.35 192.168.2.10 255.255.255.255

    alias (inside) 200.200.200.37 192.168.2.12 255.255.255.255

    static (dmz, external) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0

    static (dmz, external) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0

    public static 200.200.200.38 (inside, outside) 192.168.1.2 mask subnet 255.255.255.255 0 0

    public static 200.200.200.39 (Interior, exterior) 192.168.1.186 netmask 255.255.255.255 0 0

    static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

    static (dmz, external) 200.200.200.37 192.168.2.12 netmask 255.255.255.255 0 0

    Access-group 100 in external interface

    Route outside 0.0.0.0 0.0.0.0 200.200.200.33 1

    Did you apply an access list to allow traffic from the dmz to the inside interface?

    Also, try to be specific with the server you are trying to provide access to the.

    static (inside, dmz) xx.xx.xx.xx xx.xx.xx.xx 255.255.255.255 netmask (where two groups of xx.xx.xx.xx represent your address of sql server)

    Then add the following list of access

    access-list 101 permit tcp any host xx.xx.xx.xx eq sql (again, xx.xx.xx.xx is sql server)

    Access-group 101 in the dmz interface

    (test you can do initially access list permit all traffic instead of just sql, then tighten it to the top when you are sure that the static command works)

    Hope that helps. Allowing less than an interface on a security interface traffic higher security is carried out with controls static and ACL (or ducts), so you seem to be on the right track.

    ~ rls

  • PIX: Allowing servers in the DMZ access inside Server

    Hello

    I'm building a PIX 520 from scratch using 6.2 (2) and PDM 2.1 (1). I have 3 interfaces:

    outdoors (sec0) - xx.xx.xx.xx

    inside (sec100) - 10.100.1.0/24

    DMZ (sec10) - 172.16.254.0/24

    All was well with the modules until I started the task to allow the dmz hosts access internal hosts. I'm having problems as soon as I create an access for example rule:

    access-list permits dmz_access_in tcp host 172.16.254.20 host 10.100.1.35 eq ldap

    Problem 1:

    PDM alerts must be a static translation for 10.100.1.35 between the inside network and the DMZ. I would like the 172.16.254.20 server to the access server to the 10.100.1.35 using his real address of 10.100.1.35. Can I just give these commands:

    static (inside, dmz) 10.100.1.0 10.100.1.0 netmask 255.255.255.0 0 0

    dmz_inbound_nat0_acl ip access list allow any 10.100.1.0 255.255.255.0

    NAT (dmz) 0-list of access dmz_inbound_nat0_acl outside

    and then:

    access-list permits dmz_access_in tcp host 172.16.254.20 host 10.100.1.35 eq ldap

    Access-group dmz_access_in in dmz interface

    .. .will this work without problems?

    Problem 2:

    The rule of implicit outbound traffic to DMZ is broken - why? I need servers DMZ in order to access the internet without any discomfort.

    When I try and insert another rule to this effect, the following is inserted in the PIX config:

    dmz_access_in ip 172.16.254.0 access list allow 255.255.255.0 any

    This command now allows any server DMZ access all devices on my internal network! How can I solve this?

    I hope someone can help... Thanks in advance,

    Tariq.

    A problem 1, you don't need the nat statement 0 and correospnding-access list. The static method is sufficient.

    Problem 2: as you apply an access list to the DMZ interface, you must expand to include Internet access as well. If this is what you need, I would try something like this:

    access-list permits dmz_access_in tcp host 172.16.254.20 host 10.100.1.35 eq ldap

    access-list permits dmz_access_in tcp host 172.16.254.30 host 10.100.1.35 eq ldap

    ...

    ...

    etc. to allow the required access to the Interior.

    deny the dmz_access_in of the ip access list any 10.0.0.0 255.0.0.0

    dmz_access_in ip access list allow a whole

    Of course, you want to settle this as requires it.

  • Installation of the SCOM Agent on servers in the DMZ

    Dear,

    can you please help me with the exact steps to install SCOM Agent to the DMZ (no trusted domain) server to monitor anyone and is it possible to test it before in any Windows 7 PC. ?

    Thanks in advance

    This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)
    If you give us a link to the new thread we can point to some resources it

  • Out-of-Band management on the servers in the DMZ

    Hi, I have four PC7048s in my DMZ. External, internal making face and 2 separate demilitarized. Everything is good. All workers.

    Since they are demilitarized I want only their route between them and thus in position off http, Https, Telnet, and SSH management so that they cannot be managed remotely from the DMZ subnets.

    I then plugged the OOB interfaces in my internal management switch and VLAN them accordingly. Very well, now I can ping my OOB interfaces on all four. But I can't manage them because I have disabled SSH, HTTPS, HTTP and Telnet

    If I allow them (just SSH and HTTPS) I am now able to manage the switches of the DMZ on the IPs DMZ subnet

    I thought that the point of the OOB was so this does not happen and there is isolation? If I have to spend globally on HTTPS and SSH, then they are not really well isolated (I understand that OOB traffic cannot talk to IN-Band etc. - is the fact that I turn on a global configuration for remote OOB service)

    Am I missing something?

    Thank you

    Your results are correct. To lock the management more far I suggest looking to implement ACLs. With the ACL you can permit/deny access to various management services.

    Page 1471, guide the user passes over these commands.

    FTP.Dell.com/.../PowerConnect-7048r_Reference%20Guide_en-US.pdf

    Thank you

  • second Web server on the DMZ not visible outside

    With the help of a PIX 515e

    I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.

    The second and third (inside interface) of the Web servers are configured with static mappings and access lists.

    I can see the first n the mail very good server webserver, but I can not see servers in second or third.

    What have I done wrong?

    I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.

    Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.

    example of

    IP access-list 120 allow any HOST 207.236.60.35

    capture the access-list 120 vpncap OUTSIDE interface

    See the access-list 120 retail vpncap capture

    or

    https://PIX-IP-address/capture/vpncap [/pcap]

    To remove the capture:

    No vpncap capture

    sincerely

    Patrick

  • Providing access to the internet to the DMZ

    I have a couple of Web servers on the DMZ (30.30.30.0), who must be able to access Web sites. I also have static translations for Web servers to outside users access to them. When I added these static translations for outside users, Web servers can no longer be for web access. Here are a few lines of my config pertitent. Any ideas? (the goal is to keep static translations, but allow also the machines of the demilitarized zone to be able to browse the web)

    outsidein list access permit tcp any host 69.x.x.1 eq www

    outsidein list access permit tcp any host 69.x.x.2 eq ftp

    access-list fromDMZ allow icmp a whole

    fromDMZ list access permit tcp any any eq www

    Global interface 10 (external)

    NAT (inside) 10 10.0.2.0 255.255.255.0 0 0

    NAT (dmz) 10 30.30.30.0 255.255.255.0 0 0

    static (inside, dmz) 10.0.2.0 10.0.2.0 netmask 255.255.255.0 0 0

    static (dmz, external) 69.x.x.1 server1 netmask 255.255.255.255 0 0

    static (dmz, external) 69.x.x.2 server2 netmask 255.255.255.255 0 0

    Access-group outsidein in external interface

    Access-group fromDMZ in dmz interface

    HAG,

    In addition to opening tcp 53 I think you would also add the port udp 53 for DNS work

    fromDMZ list of access permit udp any any eq 53

    Chris

  • Vpn client access to the DMZ host

    I'm having a problem where my customers who establish a VPN with Pix 515 cannot access hosts on the DMZ. VPN clients can access hosts inside network without any problems. I discovered that when I make a route to trace from a client computer that has established a VPN connection to a host on the DMZ, he tries to go through the default gateway of computers instead of the client from cisco. Any ideas?

    More information:

    When a client connects with the PIX over the VPN, it is given the internal DNS servers and the DNS Server internal, we have a host entry that says "www.whatever.com" 2.2.2.2 (this is the DMZ host). Customers within the network can access this host with problems, it's just the customers who establish a VPN connection. But the VPN Clients can access "www.whatever.com" using the public ip address. The problem is that if remove us the entry from the host on the DNS server so that the name of "www.whatever.com" decides the public ip address customers inside will not be able to access the DMZ host. The names and IP numbers are not real just using those as an example.

    Any help would be apperciated. Thank you

    You'll currently have something like this in your config file:

    sheep allowed ip access-list

    NAT (inside) 0 access-list sheep

    This tells the PIX not to NAT any traffic from inside interface, which is to go to a VPN client. You need the same thing but for the DMZ interface, then add the following:

    sheep allowed ip access-list

    NAT 0 access-list sheep (dmz)

    Who should you get.

  • quick question on the DMZ and networking

    Need help please, I am a newbie to vm and need quick help...

    I have a well-configured firewall and 1 Server ESXi 5.5 configuration to test only at home...

    My firewall has 2 ports for internal network and one connected to my ISP

    I have the internal ports

    Port LAN ip 1 local schema with DHCP server running on the firewall

    Port 2 is DMZ, I have 4 static ip to use for remote mail, web server

    on an ESX Server, I have 2 NICs 1 plugged into port DMZ and LAN 1 port firewall

    What is the best way to separate these 2 and make them work

    internal vms example has no access to the DMZ and will have no LAN NIC, added to the virtual machine

    But Web servers and mail server should have connected NIC times and each nic gets entered the appropriate IP address based on what network card and the network it uses

    Can I use 1 switch vm and vm 1 network? or 1 vm change and create 2 networks? How to configure NIC and vmnetworks to communicate properly?

    Since you have two separate network, an in-house cards and a demilitarized zone, you will need two vSwitches. Each with a network card. The first will be your internal network and management, the other for the demilitarized zone.

    Then, you will need to create the appropriate exchanges.

  • Configuration of the DMZ R12

    Hi all

    I intend to configure the DMZ in my CA.

    Application: node 2
    Database: 11 GR 2 RAC
    OPERATING SYSTEM: AIX 6.1
    Application version: R12.1.3
    Using 1 Cisco hardware load balancer

    Query:
    I intend to go for the option "using hardware load balancing with no. external Web tier" I want to put my application server to the outside world.
    I intend to create vritual machine in Apps node 1.

    for this I need a separate queries or can I use the same load balancer used for internal application servers?
    All configuration changes what should I suggest you get out of the team for this configuration of the DMZ network?

    Please suggest

    Thanks in advance

    You can check the Option 2.5: using hardware load balancing with external No. layer Web of MOS note:
    Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]

    You can also view the part of Cisco for hardware load balancer
    Implementation of load balancing across Oracle eBusiness Suite - Documentation specific Load Balancer Hardware [ID 727171.1]
    Thank you

  • Provision of servers across the Web using VMware View 4.0

    Hello

    I have an obligation to provide servers via http. I have the license for Vmware View, but have no idea where to start? I installed view a server in the DMZ, but we must talk back to the field so I put discarded it.

    My ultimate goal is to open a web browser and type the address of a server, and log in to access to the server via the web browser.

    Any help would be greatly appreciated.

    Rgds,

    Paul.

    View supports the addition of server farms existing Terminal Server to it's broker for connections giving the user a single place to connect to their strong server and virtual desktop terminal server.   All you have to do is create a new pool and add your terminal servers to the pool.  Notice only addresses the brokerage operations of connections to Terminal servers.

  • Configuration of the DMZ for MS access

    I set up a DMZ for a Web server. I'll probably put an RODC in there later, but for now I want to open ports to the domain controller.

    I'm a bit new to DMZ and I'm a bit confused.

    I put in place services for different ports and then configure the rules of lan/dmz coming out of the demilitarized zone to the domain controller, but I get no connection.

    I have the DMZ a 10.0.0.1 / 255.255.240.0
    The value 10.0.0.5 Web server / 255.255.255.240.0
    Gateway is 10.0.0.1

    DNS server on the primary domain controller 192.168.10.1

    I opened the ports following services:

    Kerberos 88 (TCP, UDP)
    Time 123 (UDP)
    135 Kerberos authentication (TCP)
    LDAP 389
    LDAP 445
    MS DS 3268 (TCP)
    1025-4999 RPC Ports (TCP)

    In the rules of the DMZ Lan, for those leaving, should I simply specify the machine side of DMZ DMZ users or do I need to specify the side Lan Lan users too?

    Then I need to duplicate these ports in the Incoming, correct?

    Any help in pointing to the relevant documentation would be great.

    No, you should not need to configure static routes, unless you have something weird going. You can check the network path by adding rules incoming/outgoing ICMP LAN DMZ (ICMP-TYPE-8, to be precise) and ping back and forth between the DC and the Web server (ensuring any intermediate software firewall is disabled). If you can test in both directions, then you know with certainty that none of the static routes are needed.

  • These entire servers have the same problem, the problem is that I can't install and uninstall anything on them. (Exception from HRESULT: 0 x 80070490)

    Not enough disk space (428 and 488 event id)

    I have 3 servers,

    Exchange 2010

    TMG 2010

    Member Server. (2008)

    These entire servers have the same problem, the problem is that I can't install and uninstall anything on it even window update patches cannot be installed on it. On the server exchange and Member roll and functionality cannot be opened and displays the error message. (Exception from HRESULT: 0 x 80070490)

    Appear in the event viewer for most event IDS are 428 and 488 (not enough space).

    I have enough space on each server, IE more than 40 GB of free space.

    Please answer me if there is no possible solution.

    Hello

    Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows Server on TechNet forum
    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

  • Forward and meet vmail between two servers of the unit?

    I have a network with where two unity servers are connected and they are able to vmail prior to each other. (I did it using information from a document in a previous post

    ( http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_installation_and_configuration_guide_book09186a00801ba396.html ) However, when this is done, it is not an option to meet the vmail in vmail transmitted within the same server of the unit. Is it possible to configure it to respond? In other words, can you set up to meet the vmail passed the way you can when a vmail is routed within the same server Unity? Is it still possible? I don't see it in the document. The unity server is 4.03 with out-of-box Exchange. The other is 3.1.6 with a box on Exchange unit. Each is in a different domain. Thank you.

    No, there isn't a way around him. Putting servers in the same forest requires a reinstallation of the unit. You can use DiRT to help you do it, but this isn't something that we document step by step, because this isn't a normal activity. The only real challenge you may have there naming. As the dirt trying to match the name in SQL with the directory during a restoration, if you have any overlap, you may have some problems. I had read the help file for dirt to get a better idea about the process of migration:

    http://www.ciscounitytools.com/helpfiles/UnityDisasterRecovery.htm

    Thank you

    Keith

  • Is access to the DMZ on VPN best practices?

    Hello

    We have aDMZ which hosts comments wireless society and also installed on the same network of network security cameras. We must be able to access these security cameras remotely (from office) and one way to do that would be to include a network DMZ on your remote access VPN access. I don't know if this is a good/best practices since the same DMZ network also called Wireless on it.

    I think that since the security/DVR cameras is something private, they should be moved inside the network instead of on the DMZ.

    Could you please comment and suggest?

    Thank you.

    Yes! Move the inside security cameras and create another guest lan, do not use the demilitarized zone for the guests!

    DMZ must expose several services outside.

Maybe you are looking for