Hardening of the cisco devices

Hello

I'm looking for some documentation how to 'strengthen' a Cisco Cisco device. I am after those on the routers, IOS, PIX firewall, command SET switches and also IOS command switches. A search on CCEL, but did not find anything useful. Thanks in advance for your help.

IOS:

http://www.cisecurity.org/bench_cisco.html

http://www.NSA.gov/SNAC/downloads_cisco.cfm?menuid=scg10.3.1

I'm not aware of all these guides for devices os pixen or catalyst, but many of the ideas are the same (i.e. to assess who you allow admin/snmp/etc access by ip address, etc.

Tags: Cisco Security

Similar Questions

  • Interface issues Netgear Smartswitch to the Cisco 881 LAN port

    Hi, we have 100 routers Cisco 881 in our network and they work all fine for the Linksys, 3Com, switches etc.  The problem we encountered is interfacing to switches from Netgear.  Netgear switches use automatic detection on their ports and it doesn't seem to be compatible with auto MDIX detection on the LAN Cisco 881 4 serial ports on the router 881 hub.  Someone has encountered this problem before?  A cross over cable solve the problem?  Since both executed MDIX autosensing they never synch - so probably a cross on would not make much.  I see this with all Netgear smartswitches.  If you put a small switch between the Netgear switch and router Cisco 881 everything works well except to pass traffic to port 9000.  Any ideas would be appreciated.

    See you soon,.

    Len

    Hello

    There should be no problem using crossover cable. You can try disabling autoMDI/MDIX (not auto mdix) on the cisco device and keep a straight cable but if it fails, use a crossover cable.

    Concerning

    Alain

    Remember messages useful rate.

  • refine for cisco device logging

    Dear Netpro community,

    I'm trying to tweak the AAA portion on the cisco device

    Here is my current setup:

    AAA new-model

    AAA authentication login default local radius group

    AAA authentication enable default group enable RADIUS

    If the radius server is offline, the first level is not a problem. However, the problem occurs if I want to go to activate the mode. It will not use the enable password set locally, but instead he will go to and search radius for authentication server.

    Debug:

    test_switch > en

    Password:

    01:05:15: RADIUS: authentication using the $enab15$

    01:05:15: RADIUS: ustruct sharecount = 1

    01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,

    Len 72

    01:05:15: 4-6 AC10E10F attribute

    01:05:15: 5 6 00000000 attribute

    01:05:15: 61 6 00000000 attribute

    01:05:15: assign 1 to 10 24656E61

    01:05:15: assign 2 18 69ABFDF8

    01:05:15: 00000006 6 6 attribute

    01:05:20: RADIUS: retransmission id 44

    01:05:25: RADIUS: retransmission id 44

    01:05:30: RADIUS: retransmission id 44

    Password:

    01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server

    01:05:35: RADIUS: tried all servers.

    01:05:35: RADIUS: no valid server found. Try any viable Server

    01:05:35: RADIUS: tried all servers.

    01:05:35: RADIUS: no response for id 44

    01:05:35: RADIUS: no response from Server

    Password %: timeout expired.

    % Authentication failure.

    How can I make sure that I can access the switch privilege mode if there is no path to the radius server?

    It took 20 seconds of the original program:

    01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,

    Len 72

    ... with three broadcasts, until the server has been marked dead:

    01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server

    Maybe you should mark a server RADIUS MIA as death more quickly, by setting a timeout of the RADIUS server (for example: 1 sec.).

    for example:

    RADIUS-server host aaa.bbb.ccc.ddd auth-port 1812 acct-port 1813 timeout 1 key xxxxxxxxxx

    If the server is recognized as dead earlier (4S, broadcasts incl. 3) maybe it's possible to use the locally configured enable password before the "time-out of password occurs".

    I do not say for sure that this will solve your problem, but I know I want to try it to find out.

  • Discover device directly connected to the cisco ASA

    How do I know which is directly connected to an ASA interface? I'm looking for some commands that can be executed on the SAA to find the directly connected Cisco device.

    Thank you

    Boudou

    Unfortunately it is not available on SAA for you tell what device is directly connected to it, there is no 'see the neighboring cdp' on SAA unfortunately.

    You can check the ARP table and see which is the next hop, but who would only give the layer 3 device, such that there could be a switch between the two institutions.

  • where can I find viso and the CISCO CAD device icon?

    where can I find viso and the CISCO CAD device icon? Thank you guys!

    Not sure about visio CAD but heres

    http://www.Cisco.com/c/en/us/products/Visio-stencil-listing.html

  • With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices

    Hi all

    I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are

    Juniper M10i running Junos 9.2, M120

    M320 running Junos 8.5 Juniper

    Extremes of BD8810 and BD8806 running 12.4.1.17 XOS

    3804 Alpine extreme Extremeware 7.8.3.5 running

    My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you

    / John

    John,

    We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:

    set system login user uid of engineering 2000
    Set system login user engineering genius-class class
    set the connection user uid to NOC 2001 System
    Set system login user AC AC-class class

    define the system connection Engineering-class idle-timeout 15
    define a connection system class engineering-class permissions all
    define the system connection AC-class idle-timeout 15
    define the connection class AC system class view permissions
    Set connection AC-class permissions see the system configuration

    We use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.

    Hope this helps.

    Derek

  • FireFox 39 Incompatible with all Cisco devices

    With the last update access to all devices Cisco via FireFox is no longer supported. Now, I get the following errors:

    The secure connection failed
    An error occurred during a connection to [IP]. SSL has received a low ephemeral Diffie-Hellman key in the handshake message exchange the server key. (Error code: ssl_error_weak_server_ephemeral_dh_key)
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Contact the Web site owners to inform them of this problem.

    Is there a way to roll back the version to avoid this or a permanent fix? FireFox is currently the only browser that works very well with Cisco devices, and now it won't work at all.

    What happens if you set these false in two: config:

    Security.SSL3.dhe_rsa_aes_128_sha
    Security.SSL3.dhe_rsa_aes_256_sha

    Are you able to connect with disabled ciphers?

  • HP Touchpad browser works only with the Cisco Valet Plus router

    I bought a 16 GB HP Touchpad several months ago and had been enjoying his excellent WiFi feature with my old G from Linksys WRT54GS wireless router until I replaced it with a new Cisco Valet Plus (model M20) wireless-N Router a couple of days.

    Although I could easily and successfully, join the Touchpad to the Cisco Valet network, browser fails most of the time to load web pages.   For example, if I go to www.yahoo.com, the browser is going to slowly load the web page, or it will expire with a pop-up message error "Impossible to load the Page.   If I try to select a link from the homepage of Yahoo, it expires with the same message.  And this happens for all web pages.  If the initial page happens at all, I can then from this page a link to any other.

    I know that the issue is not with the router because I have several other devices connected to it and they are all working well, including a laptop HP ProBook, an iPad and a Wii Console, I use to watch Netflix movies on.  None of them has a problem - only the Touchpad.

    If I go into settings-> Wi - Fi, it shows that the Touchpad is connected to Cisco network.  And when I run the diagnostic system, it shows that the Wi - Fi works correctly.

    Does anyone have an idea how to solve this problem?

    I have found a workaround that did the trick.  I had to change the channel setting auto on a coded hard 1 channel wireless.

    Now, the Touchpad works very well, as well as all other devices that have worked.

  • Problems to connect via the Cisco VPN client IPSec of for RV180W small business router

    Hello

    I tried to configure my router Cisco of RV180W as a customer VPN IPSec, but have encountered a problem that I hope someone can help me with. "" I managed to do the work of configuration so that the Cisco's VPN IPSec client authenticates successfully with the XAUTH user, I put on the router, but during the negotiation, the client ends with the following, which appears several times on the router error message: ' Mar 20 Oct 19:41:53 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [34360] has no config mode.

    I've read around the internet and a number of people seem to say that the Cisco VPN Client is not compatible with the router, but the same thing happens to my iPhone VPN client.

    Is it possible that this can be implemented? Below, I have attached the full configuration files and the log files. Thank you much in advance.

    Router log file (I changed the IP addresses > respectively as well as references to MAC addresses)

    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: floating ports NAT - T with counterpart > [44074]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] WARNING: notification to ignore INITIAL-CONTACT > [44074] because it is admitted only after the phase 1.
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [4500]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [44074]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received unknown Vendor ID
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received Vendor ID: CISCO-UNITY
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT detected: is located behind a device. NAT and alsoPeer is behind a NAT device
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: request sending Xauth for > [44074]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association established for > [4500] -> [44074] with spi =>.
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REPLY' of > [44074]
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: login successful for the user "myusername".
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser connected from the IP >
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: sending of information Exchange: Notify payload [10381]
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REQUEST' of > [44074]
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: ignored attribute 5
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28683
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config

    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28684
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config

    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: remove the invalid payload with doi:0.
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: purged-Association of ISAKMP security with proto_id = ISAKMP and spi =>.
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser Logged Out of the IP >
    Mar 20 Oct 20:03:16 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association deleted for > [4500] -> [44074] with spi =>

    The router configuration

    IKE policy

    VPN strategy

    Client configuration

    Hôte : < router="" ip=""> >

    Authentication group name: remote.com

    Password authentication of the Group: mysecretpassword

    Transport: Enable Transparent Tunneling; IPSec over UDP (NAT/PAT)

    Username: myusername

    Password: mypassword

    Please contact Cisco.

    Correct, the RV180 is not compatible with the Cisco VPN Client.  The Iphone uses the Cisco VPN Client.

    You can use the PPTP on the RV180 server to connect a PPTP Client.

    In addition, it RV180 will allow an IPsec connection to third-party customers 3.  Greenbow and Shrew Soft are 2 commonly used clients.

  • The CTS-CTRL-DVC8 is compatible with the Cisco MX200 G1 telepresence?

    Hi team,

    Please confirm whether CTS-CTRL-DVC8 = (Cisco TelePresence Touch device) is compatible with the Cisco MX200 G1 telepresence.

    Thank you very much.

    Sorry, misread the Gen1 in your message.  Yes, the 8 Touch works with old Gen 1 MX200 of TC software running.  This is mentioned on the MX200 data sheet.  Older hardware (MX Gen1 and C40/60/90) press the 8 only and cannot be upgraded to the new software for THIS.

  • Cisco Nexus 1000V Virtual Switch Module investment series in the Cisco Unified Computing System

    Hi all
    I read an article by Cisco entitled "Best practices in Deploying Cisco Nexus 1000V Switches Cisco UCS B and C Series series Cisco UCS Manager servers" http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.html

    A lot of excellent information, but the section that intrigues me, has to do with the implementation of module of the VSM in the UCS. The article lists 4 options in order of preference, but does not provide details or the reasons underlying the recommendations. The options are the following:

    ============================================================================================================================================================
    Option 1: VSM external to the Cisco Unified Computing System on the Cisco Nexus 1010

    In this scenario, the virtual environment management operations is accomplished in a method identical to existing environments not virtualized. With multiple instances on the Nexus 1010 VSM, multiple vCenter data centers can be supported.
    ============================================================================================================================================================

    Option 2: VSM outside the Cisco Unified Computing System on the Cisco Nexus 1000V series MEC

    This model allows to centralize the management of virtual infrastructure, and proved to be very stable...
    ============================================================================================================================================================

    Option 3: VSM Outside the Cisco Unified Computing System on the VMware vSwitch

    This model allows to isolate managed devices, and it migrates to the model of the device of the unit of Services virtual Cisco Nexus 1010. A possible concern here is the management and the operational model of the network between the MSM and VEM devices links.
    ============================================================================================================================================================

    Option 4: VSM Inside the Cisco Unified Computing System on the VMware vSwitch

    This model was also stable in test deployments. A possible concern here is the management and the operational model of the network links between the MSM and VEM devices and switching infrastructure have doubles in your Cisco Unified Computing System.
    ============================================================================================================================================================

    As a beginner for both 100V Nexus and UCS, I hope someone can help me understand the configuration of these options and equally important to provide a more detailed explanation of each of the options and the resoning behind preferences (pro advantages and disadvantages).

    Thank you
    Pradeep

    No, they are different products. vASA will be a virtual version of our ASA device.

    ASA is a complete recommended firewall.

  • What layer are FI in the Cisco hierarchical network design model?

    What layer are FI in the Cisco hierarchical network design model?

    Is this a straigh question? We have a Nexus 7 k for our heart and Port-channel of the FI for them. So for me it layer distribution.

    But when we attach to the NAS. Isilon devices we use between the FI and N7K N3K. This would make the N3K and FI both part of the Distribution layer? Would not be considered layer. However, it does not ACL etc. which usually belong to the Distribution layer.

    I was wondering thoughts people on it. Is the UCS FI and 'One Off' in the model of 3 layer?

    Thank you!

    Craig

    FI can sit to your dist layer. or access.  I've seen deployments where they are deployed at the same time, depending on the size of the cluster of the UCS and band network bandwidth. The distribution layer is usually to be where all the magic of layer 3 arrives (routing, ACL, QoS, FW, application of strategies etc.) and UCS being strictly Layer 2, it could be classified as a device to access-layer.

    Designs are flexible and as long that you consider oversubscription adjusted, you should be fine with the deployment option.

    I hope that others will share their ideas

    Kind regards

    Robert

  • For the Cisco router memory usage

    Hello

    We have a router SA520 (Firmware 2.1.18)

    We use only this for about 1 month now. Router seems ok it's just

    I am concerned about the use of memory who reach 62% (144/234 MB)

    What's to worry?
    How can I use that by cutting down the use?

    Excuse me, I'm just for new Cisco devices.

    Thank you very much.

    CA

    AC,

    Please go ahead and upgrade to the latest firmware 2.1.51 memory use should not be a problem. After the upgrade, please keep an eye on the back of the memory and the report.

    Thank you

    Jasbryan

    Support Cisco engineer

    .:|:.:|:.

  • the remote device or resource does not accept the connection - CIMC

    Hello

    I tried access MMIC remotely via web browser, but get the error message "the connection was refused by the target device.

    I was able to access a device similar to the same place but will not be for this particular device.

    Another diagnosis with internet explore came with reason "the remote device or resource does not accept the connection.

    Any idea please?

    Thank you

    Hi Mike,.

    Is the host this time online? Are you able to ping the server MMIC? If you are able to ping the server of CIMC, but unable to connect via SSH or the graphical user interface you can hit the following bug;

    https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCun88303/?reffering_site...

    I hope this helps. Please check all the useful answers as correct while others can find answers faster.

    Qiese Sa'di

  • restore the configuration of the cisco ACS 1121 ver 5.2 to SNS 3425 ver 5.6

    Dear all,

    We currently have Cisco ACS 1121 ver 5.2 in our production, then we will replace it with the new devices using SNS 3425 ver 5.6.

    Please good to want to help someone can tell you how to restore all the old configuration of devices (ACS 1121 ver 5.2) for the new Member States?

    Best regards

    Yudibagam

    Hello! You must upgrade the current device to a min of v5.4 for restoration work and be supported.

    http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_control_system/5-6/release/notes/acs_56_rn.html

    However, if you're going to go through the upgrade problems then I would say that you upgrade all the way to 5.6 just to be sure :)

    I hope this helps!

    Thank you for evaluating useful messages!

Maybe you are looking for