Hardening of the cisco devices
Hello
I'm looking for some documentation how to 'strengthen' a Cisco Cisco device. I am after those on the routers, IOS, PIX firewall, command SET switches and also IOS command switches. A search on CCEL, but did not find anything useful. Thanks in advance for your help.
IOS:
http://www.cisecurity.org/bench_cisco.html
http://www.NSA.gov/SNAC/downloads_cisco.cfm?menuid=scg10.3.1
I'm not aware of all these guides for devices os pixen or catalyst, but many of the ideas are the same (i.e. to assess who you allow admin/snmp/etc access by ip address, etc.
Tags: Cisco Security
Similar Questions
-
Interface issues Netgear Smartswitch to the Cisco 881 LAN port
Hi, we have 100 routers Cisco 881 in our network and they work all fine for the Linksys, 3Com, switches etc. The problem we encountered is interfacing to switches from Netgear. Netgear switches use automatic detection on their ports and it doesn't seem to be compatible with auto MDIX detection on the LAN Cisco 881 4 serial ports on the router 881 hub. Someone has encountered this problem before? A cross over cable solve the problem? Since both executed MDIX autosensing they never synch - so probably a cross on would not make much. I see this with all Netgear smartswitches. If you put a small switch between the Netgear switch and router Cisco 881 everything works well except to pass traffic to port 9000. Any ideas would be appreciated.
See you soon,.
Len
Hello
There should be no problem using crossover cable. You can try disabling autoMDI/MDIX (not auto mdix) on the cisco device and keep a straight cable but if it fails, use a crossover cable.
Concerning
Alain
Remember messages useful rate.
-
refine for cisco device logging
Dear Netpro community,
I'm trying to tweak the AAA portion on the cisco device
Here is my current setup:
AAA new-model
AAA authentication login default local radius group
AAA authentication enable default group enable RADIUS
If the radius server is offline, the first level is not a problem. However, the problem occurs if I want to go to activate the mode. It will not use the enable password set locally, but instead he will go to and search radius for authentication server.
Debug:
test_switch > en
Password:
01:05:15: RADIUS: authentication using the $enab15$
01:05:15: RADIUS: ustruct sharecount = 1
01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,
Len 72
01:05:15: 4-6 AC10E10F attribute
01:05:15: 5 6 00000000 attribute
01:05:15: 61 6 00000000 attribute
01:05:15: assign 1 to 10 24656E61
01:05:15: assign 2 18 69ABFDF8
01:05:15: 00000006 6 6 attribute
01:05:20: RADIUS: retransmission id 44
01:05:25: RADIUS: retransmission id 44
01:05:30: RADIUS: retransmission id 44
Password:
01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server
01:05:35: RADIUS: tried all servers.
01:05:35: RADIUS: no valid server found. Try any viable Server
01:05:35: RADIUS: tried all servers.
01:05:35: RADIUS: no response for id 44
01:05:35: RADIUS: no response from Server
Password %: timeout expired.
% Authentication failure.
How can I make sure that I can access the switch privilege mode if there is no path to the radius server?
It took 20 seconds of the original program:
01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,
Len 72
... with three broadcasts, until the server has been marked dead:
01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server
Maybe you should mark a server RADIUS MIA as death more quickly, by setting a timeout of the RADIUS server (for example: 1 sec.).
for example:
RADIUS-server host aaa.bbb.ccc.ddd auth-port 1812 acct-port 1813 timeout 1 key xxxxxxxxxx
If the server is recognized as dead earlier (4S, broadcasts incl. 3) maybe it's possible to use the locally configured enable password before the "time-out of password occurs".
I do not say for sure that this will solve your problem, but I know I want to try it to find out.
-
Discover device directly connected to the cisco ASA
How do I know which is directly connected to an ASA interface? I'm looking for some commands that can be executed on the SAA to find the directly connected Cisco device.
Thank you
Boudou
Unfortunately it is not available on SAA for you tell what device is directly connected to it, there is no 'see the neighboring cdp' on SAA unfortunately.
You can check the ARP table and see which is the next hop, but who would only give the layer 3 device, such that there could be a switch between the two institutions.
-
where can I find viso and the CISCO CAD device icon?
where can I find viso and the CISCO CAD device icon? Thank you guys!
Not sure about visio CAD but heres
http://www.Cisco.com/c/en/us/products/Visio-stencil-listing.html
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
FireFox 39 Incompatible with all Cisco devices
With the last update access to all devices Cisco via FireFox is no longer supported. Now, I get the following errors:
The secure connection failed
An error occurred during a connection to [IP]. SSL has received a low ephemeral Diffie-Hellman key in the handshake message exchange the server key. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Contact the Web site owners to inform them of this problem.Is there a way to roll back the version to avoid this or a permanent fix? FireFox is currently the only browser that works very well with Cisco devices, and now it won't work at all.
What happens if you set these false in two: config:
Security.SSL3.dhe_rsa_aes_128_sha
Security.SSL3.dhe_rsa_aes_256_shaAre you able to connect with disabled ciphers?
-
HP Touchpad browser works only with the Cisco Valet Plus router
I bought a 16 GB HP Touchpad several months ago and had been enjoying his excellent WiFi feature with my old G from Linksys WRT54GS wireless router until I replaced it with a new Cisco Valet Plus (model M20) wireless-N Router a couple of days.
Although I could easily and successfully, join the Touchpad to the Cisco Valet network, browser fails most of the time to load web pages. For example, if I go to www.yahoo.com, the browser is going to slowly load the web page, or it will expire with a pop-up message error "Impossible to load the Page. If I try to select a link from the homepage of Yahoo, it expires with the same message. And this happens for all web pages. If the initial page happens at all, I can then from this page a link to any other.
I know that the issue is not with the router because I have several other devices connected to it and they are all working well, including a laptop HP ProBook, an iPad and a Wii Console, I use to watch Netflix movies on. None of them has a problem - only the Touchpad.
If I go into settings-> Wi - Fi, it shows that the Touchpad is connected to Cisco network. And when I run the diagnostic system, it shows that the Wi - Fi works correctly.
Does anyone have an idea how to solve this problem?
I have found a workaround that did the trick. I had to change the channel setting auto on a coded hard 1 channel wireless.
Now, the Touchpad works very well, as well as all other devices that have worked.
-
Problems to connect via the Cisco VPN client IPSec of for RV180W small business router
Hello
I tried to configure my router Cisco of RV180W as a customer VPN IPSec, but have encountered a problem that I hope someone can help me with. "" I managed to do the work of configuration so that the Cisco's VPN IPSec client authenticates successfully with the XAUTH user, I put on the router, but during the negotiation, the client ends with the following, which appears several times on the router error message: ' Mar 20 Oct 19:41:53 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for
> [34360] has no config mode. I've read around the internet and a number of people seem to say that the Cisco VPN Client is not compatible with the router, but the same thing happens to my iPhone VPN client.
Is it possible that this can be implemented? Below, I have attached the full configuration files and the log files. Thank you much in advance.
Router log file (I changed the IP
addresses > respectively as well as references to MAC addresses) Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: floating ports NAT - T with counterpart
> [44074]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] WARNING: notification to ignore INITIAL-CONTACT> [44074] because it is admitted only after the phase 1.
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for> [4500]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for> [44074]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received unknown Vendor ID
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received Vendor ID: CISCO-UNITY
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT detected: is located behind a device. NAT and alsoPeer is behind a NAT device
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: request sending Xauth for> [44074]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association established for> [4500] - > [44074] with spi = >.
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REPLY' of> [44074]
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: login successful for the user "myusername".
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser connected from the IP>
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: sending of information Exchange: Notify payload [10381]
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REQUEST' of> [44074]
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: ignored attribute 5
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28683
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no mode config
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28684
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no mode config
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: remove the invalid payload with doi:0.
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: purged-Association of ISAKMP security with proto_id = ISAKMP and spi =>.
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser Logged Out of the IP>
Mar 20 Oct 20:03:16 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association deleted for> [4500] - > [44074] with spi = > The router configuration
IKE policy
VPN strategy
Client configuration
Hôte : < router="" ip=""> >
Authentication group name: remote.com
Password authentication of the Group: mysecretpassword
Transport: Enable Transparent Tunneling; IPSec over UDP (NAT/PAT)
Username: myusername
Password: mypassword
Please contact Cisco.
Correct, the RV180 is not compatible with the Cisco VPN Client. The Iphone uses the Cisco VPN Client.
You can use the PPTP on the RV180 server to connect a PPTP Client.
In addition, it RV180 will allow an IPsec connection to third-party customers 3. Greenbow and Shrew Soft are 2 commonly used clients.
-
The CTS-CTRL-DVC8 is compatible with the Cisco MX200 G1 telepresence?
Hi team,
Please confirm whether CTS-CTRL-DVC8 = (Cisco TelePresence Touch device) is compatible with the Cisco MX200 G1 telepresence.
Thank you very much.
Sorry, misread the Gen1 in your message. Yes, the 8 Touch works with old Gen 1 MX200 of TC software running. This is mentioned on the MX200 data sheet. Older hardware (MX Gen1 and C40/60/90) press the 8 only and cannot be upgraded to the new software for THIS.
-
Cisco Nexus 1000V Virtual Switch Module investment series in the Cisco Unified Computing System
Hi all
I read an article by Cisco entitled "Best practices in Deploying Cisco Nexus 1000V Switches Cisco UCS B and C Series series Cisco UCS Manager servers" http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.htmlA lot of excellent information, but the section that intrigues me, has to do with the implementation of module of the VSM in the UCS. The article lists 4 options in order of preference, but does not provide details or the reasons underlying the recommendations. The options are the following:
============================================================================================================================================================
Option 1: VSM external to the Cisco Unified Computing System on the Cisco Nexus 1010In this scenario, the virtual environment management operations is accomplished in a method identical to existing environments not virtualized. With multiple instances on the Nexus 1010 VSM, multiple vCenter data centers can be supported.
============================================================================================================================================================Option 2: VSM outside the Cisco Unified Computing System on the Cisco Nexus 1000V series MEC
This model allows to centralize the management of virtual infrastructure, and proved to be very stable...
============================================================================================================================================================Option 3: VSM Outside the Cisco Unified Computing System on the VMware vSwitch
This model allows to isolate managed devices, and it migrates to the model of the device of the unit of Services virtual Cisco Nexus 1010. A possible concern here is the management and the operational model of the network between the MSM and VEM devices links.
============================================================================================================================================================Option 4: VSM Inside the Cisco Unified Computing System on the VMware vSwitch
This model was also stable in test deployments. A possible concern here is the management and the operational model of the network links between the MSM and VEM devices and switching infrastructure have doubles in your Cisco Unified Computing System.
============================================================================================================================================================As a beginner for both 100V Nexus and UCS, I hope someone can help me understand the configuration of these options and equally important to provide a more detailed explanation of each of the options and the resoning behind preferences (pro advantages and disadvantages).
Thank you
PradeepNo, they are different products. vASA will be a virtual version of our ASA device.
ASA is a complete recommended firewall.
-
What layer are FI in the Cisco hierarchical network design model?
What layer are FI in the Cisco hierarchical network design model?
Is this a straigh question? We have a Nexus 7 k for our heart and Port-channel of the FI for them. So for me it layer distribution.
But when we attach to the NAS. Isilon devices we use between the FI and N7K N3K. This would make the N3K and FI both part of the Distribution layer? Would not be considered layer. However, it does not ACL etc. which usually belong to the Distribution layer.
I was wondering thoughts people on it. Is the UCS FI and 'One Off' in the model of 3 layer?
Thank you!
Craig
FI can sit to your dist layer. or access. I've seen deployments where they are deployed at the same time, depending on the size of the cluster of the UCS and band network bandwidth. The distribution layer is usually to be where all the magic of layer 3 arrives (routing, ACL, QoS, FW, application of strategies etc.) and UCS being strictly Layer 2, it could be classified as a device to access-layer.
Designs are flexible and as long that you consider oversubscription adjusted, you should be fine with the deployment option.
I hope that others will share their ideas
Kind regards
Robert
-
For the Cisco router memory usage
Hello
We have a router SA520 (Firmware 2.1.18)
We use only this for about 1 month now. Router seems ok it's just
I am concerned about the use of memory who reach 62% (144/234 MB)
What's to worry?
How can I use that by cutting down the use?Excuse me, I'm just for new Cisco devices.
Thank you very much.
CA
AC,
Please go ahead and upgrade to the latest firmware 2.1.51 memory use should not be a problem. After the upgrade, please keep an eye on the back of the memory and the report.
Thank you
Jasbryan
Support Cisco engineer
.:|:.:|:.
-
the remote device or resource does not accept the connection - CIMC
Hello
I tried access MMIC remotely via web browser, but get the error message "the connection was refused by the target device.
I was able to access a device similar to the same place but will not be for this particular device.
Another diagnosis with internet explore came with reason "the remote device or resource does not accept the connection.
Any idea please?
Thank you
Hi Mike,.
Is the host this time online? Are you able to ping the server MMIC? If you are able to ping the server of CIMC, but unable to connect via SSH or the graphical user interface you can hit the following bug;
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCun88303/?reffering_site...
I hope this helps. Please check all the useful answers as correct while others can find answers faster.
Qiese Sa'di
-
restore the configuration of the cisco ACS 1121 ver 5.2 to SNS 3425 ver 5.6
Dear all,
We currently have Cisco ACS 1121 ver 5.2 in our production, then we will replace it with the new devices using SNS 3425 ver 5.6.
Please good to want to help someone can tell you how to restore all the old configuration of devices (ACS 1121 ver 5.2) for the new Member States?
Best regards
Yudibagam
Hello! You must upgrade the current device to a min of v5.4 for restoration work and be supported.
However, if you're going to go through the upgrade problems then I would say that you upgrade all the way to 5.6 just to be sure :)
I hope this helps!
Thank you for evaluating useful messages!
Maybe you are looking for
-
iTunes open at least 84 times, then it froze. Same Force Quit did nothing.
It started just after El Capitan Upgrade on MBpro 15 and then iTunes did an update, too. I think that some keys may be sticking too, this might be important? And I have a frozen desktop screen capture: Thank you Sturg
-
Firefox, not loading pages in external links
When I get an email with a link and ask Android to open it, the browser opens and appears to load. But only a blank page is here. If I close the browser and reopen it, I see the page. Help appreciated.
-
Thread.ExternallySuspended method with asychronous vi
Hello My sequence is launching a state machine in labview to type "launch vi" asynchronous queue stage teststand. The vi runs for the duration of my sequence, waiting and acting on the message queue, initiated by certain steps teststand that call an
-
Hello I wanted to run vista on the same computer; but on a virtual machine. I wanted to know if I should buy a seprate key. I was perplexed because it is on the same computer at home. I wanted to use it for personal use as run the operating system on
-
Where you can download Windows 7 Home premium if you buy a product key on ebay?