Int sniff traffic
Cisco IDS:
probe # sh int
control command is in place
Address Internet is 10.20.0.30, subnet mask 255.255.252.0, telnet is enabled.
The material is eth1, tx
Network statistics
eth1 Link encap HWaddr 00: 0d: c 88: 6 D: 3F:2 B
INET addr:10.20.0.30 Bcast:10.20.3.255 mask: 255.255.252.0
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
Fall of RX packets: 18437 errors: 0:0 overruns: 0 frame: 0
Dropped packets: 5828 TX errors: 0:0 overruns: 0 carrier: 0
collisions: 0 txqueuelen:100
RX bytes: 2137149 (2.0 MB) TX bytes: 1776793 (1.6 Mb)
Interruption: 11 Base address: 0 x 9000
Group 0 is in place
Detection of int0, int2 ports
Configuration of the virtual sensor logic: virtualSensor
Logical channel configuration alarm: virtualAlarm
.....
Int0 remote sensing is down
The material is eth0, TX
Reset port
Int2 remote sensing is down
The material is eth2, TX
Reset port
================================================
If I connect int0 to DMZ - I can see the events using IDENTIFIERS EV but after same cable to connect int2 - nothing seemed.
Where is the problem?
It's a bit strange that you see events on int0, when he says that it is down. What version are you using on the sensor is what model?
in any case, what do you see when you run 'show int remote sensing?
try to manually bring up the interface:
guardian1 # conf t
guardian1 (config) # interface int0 remote sensing
guardian1(config-IFS) # No tap
If this does not work, then take a look at the interface with the account 'service '.
Bash-2, $ 05 su-
Password:
[[email protected]/ * / root] # ifconfig - a
[[email protected]/ * / root] # tcpdump-i eth0
tcpdump: WARNING: eth0: no assigned IPv4 address
tcpdump: listening on eth0
15:11:18.160683 63.250.197.45.http >
Verify that the interface is to see the traffic.
I hope this helps.
Chris
Tags: Cisco Security
Similar Questions
-
Multicast traffic stops flowing after a while when using IGMP snooping
Hi all
I have the following configuration:
:
Where host 1 is a multicast traffic source and host 2 is a customer of multicast traffic. IGMP snooping is configured on both switches.
Host 2 boots and sends an IGMP report, in order to join the multicast host group 1. Given that SW2 does not know where the mrouter from the group, adds port Eth1/1 to the Group of snooping and removes the package, the IGMP packet. Once host 1 starts, it sends an IGMP query (which is flooded by the port channel), and multicast traffic starts to flow to host 2.
When I ran 'show ip Mattia snooping groups' I've seen the same result on both switches: on the two switches of the groups the Eth1/1 and the channel port, but after a while, the switch connected to the host 2 deleted the channel of the port of the group.
After consultation with the switch logs and sniff traffic on one of the channel port on SW1 interfaces, I came to the conclusion that happens since SW1 ceases to send queries generated by host 1 and responding to them locally (some proxy or something). I also noticed that IGMP reports generated by host 2 stop arriving on SW1 (since SW2 do not know that there a connected mrouter more across the channel of the port).My questions are:
1. How does SW1 knows he should keep the channel port as part of the group, if it does not IGMP reports coming from SW2 more?
2. what happens if the host 2 is not interested in multicast traffic, but do not send and IGMP leave message (a behavior that is supported according to the Protocol, to my knowledge)? How SW1 knows he should cease to IGMP sent from host 1 query response?
Thanks in advance,
Omer.
Hello
The problem is because you have not mrouter port sw1. It is well documented by virtue
http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-6500-Series-...
There are 3 ways you can solve this problem.
1. enable Pim on Sw1.
Or
2. enable ip igmp snooping interrogator on Sw2
Or
3. create staitc mrouter port on sw2.
ip igmp snooping vlan 1 mrouter interface PoX
-
Hello.
At present, I am tracking the traffic flowing on the Int inside my firewall. I need to sniff traffic on another INT as well. before you do this activity, I wanted to know my ID 4235 would take the charge or not.
kindly help me how to measure the current on the IDS.
Hello
You can run the following command:
See the version
Application partition:
The Cisco Systems Version 4,0000 S91 Intrusion detection sensor
2.4.18 - 5smpbigphys-4215 OS version
Platform: IDS-4215
Sensor time is 51 days.
Using 459202560 bytes of available memory (96% of use) 444817408
With 4.3 G off bytes 17 G of disk space available (27% of use)
This could give you the status of memory and disk status.
HTH
-
NAC L3 OOB does not not on WAN
I'll put up proof of lab validation for installation of the NAC.
I use Cisco Catalyst 3550 and 2950 switches (the real environment is using 3750 and 2960 and 2950 switches) and have defined NAC in Central L3 OOB configuration. In this configuration, I have a SIN and NAM "MAIN_SITE" and then two sites branch "BRANCH1" and "BRANCH2.
On the main site, the OOB works very well, and when a user logs in, the port is moved from the VLAN authenticated (290) role service VLAN (200) However, in the 'branches' switches do not put the port in the role in function of VLAN, or if a port is in VLAN 200 and a PC is connected to this port don't switch port to 290 of VLAN (unauthenticated).
Sniff traffic with Wireshark, I see SNMP sets sent by the NAM to the switch to tell it to place the port VLAN 200, but the switch does not.
My writing strings are configured correctly and the NAM is able to implement initial orders on the switch for the NAC ('mac-added notification of snmp trap' orders for the ports).
Can we say what is the problem?
Sachin
Sachin,
Must be at least 12.1 (14) EA1
Visit this link for all the switches you need for OOB and supported codes: http://bit.ly/SwitchSupport
HTH,
Faisal
-
second Web server on the DMZ not visible outside
With the help of a PIX 515e
I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.
The second and third (inside interface) of the Web servers are configured with static mappings and access lists.
I can see the first n the mail very good server webserver, but I can not see servers in second or third.
What have I done wrong?
I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.
Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.
example of
IP access-list 120 allow any HOST 207.236.60.35
capture the access-list 120 vpncap OUTSIDE interface
See the access-list 120 retail vpncap capture
or
https://PIX-IP-address/capture/vpncap [/pcap]
To remove the capture:
No vpncap capture
sincerely
Patrick
-
CBAC with several inspection rules
Hello
My customer places an ASA/Pix IPsec hub and network spoke to a DMVPN network with 2921/881.
All the security(ACL/CBAC) will be run on the Cisco 2921 Hub site. I have attached a drawing simplified topology of HUB interfaces:
As you can see in the picture there are 5 active interfaces on the Cisco 2921:
LAN INT
DMZ INT
VIRTUAL INT
INT TUNNEL
RE INT
All interfaces have incoming ACL applied to them in the inbound direction. So, I have the following ACL:
INSIDE_OUT for LAN internal (management traffic from the LAN to DMZ DMVPN, Internet and VPN clients remote)
DMVPN_INSIDE_OUT for TUNNEL INT (managing the movement of DMVPN LAN and WAN)
VIRTUAL_INSIDE_OUT for VIRTUAL INT (manage traffic for remote users VPN DMVPN, LAN and WAN)
DMZ_INSIDE_OUT for DMZ (open for ICMP to internet and a server on the LAN)
INSIDE_IN for INT WAN (deny all apart form ICMP; ESP, ISAKMP, etc.)
Currently, I have the 2 following the rules of CBAC:
Property intellectual CHECK NAME IN_OUT applied on departing on INT WAN
IP INSPECT NAME applied to inbound on INT WAN OUT_IN_DMZ (to allow traffic initiated Internet DMZ return form)
But now, I think all the stateful traffic interface, as in an ASA I have to configure a rule to inspect to inbound on each interface or am I completely wrong?
For example if I want a LAN Server to communicate with a server on the DMZ, I need to inspect the incoming traffic to the right to allow traffic to DMZ from LAN LAN? Which means I need a third inspection rule, no?
Kind regards
Laurent
Laurent,
Ideally, you'd inspection on all inbound interfaces.
However, I think that you try to overcomplicate things, (dare I say).
Your problem would be solved by adding a dynamic firewall on your design and ending for example remote VPN on it.
This would substantially reduce the burden of DMVPN routers in the case of PPE or future growth and would you allow to dynamically on a device which was supposed to be with State actually lie real packet filtering.
I will attach a photo in a moment of what I think off the coast.
Marcin
Edit: adding hastly does DIA.
-
Can I do this with ESXi?
Hi I have a project, I hope to find the answer:
I have a dell server that supports virtualization, 64-bit... everything supports ESXi.
I have two network adapters, and I want to install 3 virtual machines as if you are using windows server 2008. I'll conect on host, NIC 1 number to a management switch and NIC 2 number to a mirror port to make a capture of packets using Wireshark promiscous mode, or a similar software. the first question is if I can capturepackets a guest promiscous mode?
The second question: I need each of these clients by using windows server 2008, be able to also have these two network cards installed and available and I want to manage the guest also through the first NETWORK card and do a few packet captures via the second card network.
Is it possible to link or fill these cards logic on the guest operating system for the network adapters on the host physical? In this way, I would be able to select NIC No.2 on the client using wire shark and watch only the packages that shows my mirror port at NIC 2.
Thank you.
You can create a machine virtual portgroup on each vswitch. vSwitch0 will have networking portgroup and a portgroup VM. vswitch1 will have the second computer virtual network portgroup. In the settings of the virtual machine, you will need to have 2 network cards, one for each virtual portgroup computer. Assuming that each VM Network portgroup is on different IP subnets, it is just a matter of choosing what IP you have access to the guests by. There are a few other caveats network when connecting networks, especially if they are already elsewhere, just so beware of that that you configure the systems.
The extent of the sniffing the network... If you activate the "Promiscuous" mode on the vswitch, which only allows you to sniff traffic on this vswitch. Switches based on upstream equipment will have to be configured the same way if you want to sniff all traffic on them, too.
I hope that helps to answer questions...
-
DNS server records to monitor traffic.
I do not understand much about it so I hope someone can explain to me.
I have a server configured with a DNS server running successfully on my mac mini (dns primary server for the House).
I was wondering if there is a way to capture the DNS server logs and monitor visited Web sites of specific host ips/name?
I don't have an example to make immediately available, and I expect that it will be the analysis or an output channel created manually or otherwise searching the DNS server connects.
If your firewall blocks all outgoing DNS traffic except for DNS queries on the server (this is to avoid without entering the DNS server, register via VPN or other), you can turn on extra logging through the command line, and then check the DNS server logs.
This configuration is probably more commonly implemented with either a network sniffer I look for DNS queries arriving at your server, or perhaps a web proxy server, as this proxy server gets you the customer information and the target host information, as it won't be all kinds of activities related to the web-is in the DNS for a typical client newspapers.
Activity network Apps, app updates (various which may seem HTTPS traffic, too), multiple streams of data, etc.
HTTPS and VPN can throw a key in these listening and data collection activities, unfortunately. They can hide the access or hide the DNS query, according to the monitored computers.
There are approaches especially here, including the firewall of filtering (or notation) and the mechanisms of OS X such as Parental controls, depending on the specific details of your needs here. There are examples posted around the network to use Wireshark or tcpdump to acquire the DNS of your network data, as well.
Details on the management of the BIND 9 command line - i.e. when there is hair - are available in the ISC BIND documentation, such as 9.10. Find statement grammar and record the setting up an output channel, as a starting point.
For recent versions of OS X Server, BIND configuration files are under/Library/Server. (See this discussion, as well.)
Changes to the configuration files can sometimes fail.app, unfortunately. Close.app, make the changes to a copy of the file, then restart.app (and I hope Server.app don't spill or undo your changes).
-
Wireless - C6180 network traffic
Product: Photosmart C6180 all-in-one
The printer has been set up wireless to share among 5 computers and works very well. My concern is that the amount of traffic network the printer generates.
I analyzed the network traffic generated by my computer using Wireshark Analyzer (packet sniffer) network protocol. Traffic is presented as a series of SNMP (from the computer) requests to the printer and the answers SNMP from the printer to the computer. This status of probable reports in near real-time.
This isn't a problem, but I would like to discuss the volume of network traffic. I see on request 20 and 20 responses per second for a single computer. Request/responses start a port 1026 (sending a request and get an answer) then increment to the next port 1027 (request / response), increment to the port 1028 and continue. This continues until it hits port 5000 then begins to port 1026. About, through 4000 ports every 3 minutes. Each request and response being about 100 bytes of information.
This traffic volume is normal? It can be reduced?
I looked in the printer and the software congifurations to see if it can be reduced to a minimum and can not see a framework to reduce the traffic.
Well, I expected someone to complain about this. Also, I think that it is rare as well.
What you see, is the HP SW on each computer to the printer for admission to the status of vote. I think that changes of the PC port with each SNMP request but you should see that all SNMP packets going to port 161 printer and that the printer meets the port 161 originally PC port...
You'll also see shows SLP in 427 on the printer port as well (most used ARP and NETBIOS stuff).
To my dismay, this is normal (an old design in fact) and we are changing. Yes, it's a chatty Protocol but the bandwidth network should not be significant (using your numbers – I thought the refresh frequency was 1/3 Hz):
5 computers * (20 packets/SNMP-s) = 100 packets/SNMP-sec * 200 bytes/SNMP-package (estimated) = 20000 bytes/s.
(Is this a lot on a 11g wireless network has a bandwidth of?)
The real problem occurs when you have a wireless network. Because UDP is not reliable, the SNMP get s/SNMP-response may be lost, especially on the airwaves. When this happens, the SW will attempt the request again, and after a series of delays, the HP SW will think the printer is offline.
Now to answer your original question: you can remove the most background traffic by disabling the HP printer services. You will still be able to print but the scan will not work. Another option is to uninstall the HP SW and manually add the printer in Control Panel. Unfortunately, this also gives you printing without analyzing.
-
Hello.
Have are questions about the use of Snort.
Found in the admin following information guide:
"" A Sniffer capture raw packets of web traffic its tap the points of passage on the network or the instrumented browser pages. ". Sniffers "decode, decrypt and analyze packets." »
I'm interesting, Sniffer captures all web traffic and save to archive, but in the Console of the FMS only filtered show basic information on parameters such as tracking the IP addresses, Ports monitored, etc...
Or parameters to monitor the IP addresses, Ports, monitors, etc. present the parameters for Sniffer and web traffic what do not equate to that settings do not capture Sniffer and record archiving?
I think this can help.
http://eDOCS.quest.com/Foglight/5611/doc/wwhelp/wwhimpl/common/HTML/frameset.htm?context=cartridgeAPM&file=RUECartridge-Admin/ConfiguringTrafficCapture.02.php&single=trueFilter by IP addressClear (default) to capture Web traffic for all IP addresses in the monitored environment. Select this option to capture only traffic to and from web servers whose IP addresses are listed on the dashboard to track IP addresses. For more information, see Manage IP addresses monitored.Council in most cases, the sniffer consumes less CPU and memory resources when filtering by IP address.So the default value is to capture all, you can check the filter by IP address to get specific traffic for IP addresses only.
Don't forget that a sniffer has a certain ability to capture 'everything' may require several "sniffers".I hope this helps.
Golan
-
IDS 4215, good place for an interface sniff (LAN or DMZ)
I have this sensor with two interfaces only at work, I was asked to check that
See the IDSWORK version #.
Application partition:
The Cisco Systems Version 1.0000 S47 Intrusion detection sensor
2.4.18 - 5smpbigphys-4215 OS version
Platform: IDS-4215
an interface that is Ethernet 0 connected to switch in the DMZ, and 1 Ethernet connected to switch 4005, logically I have to monitor DMZ not switch box 4005 (since I had only two interfaces, my case), I'm right?
That means that ethernet 0 should be to sniff (surveillance) since it is connected to the DMZ and interface 1 for command and control, since it is connected to switch 4005, but according to cisco specifications
Table 5-2
FastEthernet0/0: Interfaces supporting VLAN pairs Inline (port detection)
FastEthernet0/1: Interfaces do not support Inline (command and control Port)
Note: Cisco has mentioned FastEthernet, one I had Ethernet, makes all the difference?
Because I did not have this configuration, he made by another, should I change this?
It seems that your credentials are equipped with the basic ports (2 x Ethernet) with E0 C & C port, while E1 is followed by port.
BTW, Ethernet/FastEthernet ports are in fact the same.
To monitor your DMZ segment, then place the E1 in this segment, as E0 on inside segment where in addition to directing the Manager of its web management or CLI interface box, you probably can use basic VMS that comes free with it.
And since you have dedicated switch to host the entire DMZ segment, you can easily monitor box (SPAN) all and send all traffic to the IDS.
If you need to change the configuration, you may need to test at least to verify signatures is enabled/disabled and pc/mgt host is allowed to access the box and so on. But it is a good practice for audit and review the new config/setup, as it is a security zone, you need to do to monitor trust and you talk about all the possible threats, attacks or violations.
HTH
AK
-
All,
Got a facility below I'm looking for confirmation his works, your entries please
SW1 - core <------------------- trunk="" -----------="" -----------------="">core sw2
! !
! !
! !
Distribution L3 switch1 - not back to back connection - Distribution L3 switch2
! !
trunk trunk
! !
access layer switch sw1 - connection to distribution switches trunk
(1) I have (SW1 and SW2) basic switches connected to distribution switches (SW1 and SW2 L3 Distribution) the port configured with trunk and L3 interface vlan 40, the vlan 40 forming EIGRP neighbor ship with distribution, so ports switches using L2 and L3. also HSRP vlan 40 configured assets (sw1) standby time (sw2)
(2) distribution switches - connected to basic with chest & int switches vlan 40 forming EIGRP neighbor ship with two basic switches - no VLANs hsrp 40 configured on the distribution switches
(4) access layer switch - connected to the distribution and L2 switches vlan trunk 40 allowed. the gateway to this switch is now based on the HSRP active switches vlan 40 FT
(5) to access switch the connected port Distribution sw1 - State PLEASE FWD, the other port in State BLK
I would like to check with you, if connection made closed between the access to the distribution of switch 1 switch, STP removes the second port of State BLK and put in forwarding State &
traffic will hit the sw2 basis and reach the gateway IP active HSRP to Core sw1
I would say that he must work very well as long as the path EIGRP cost is in line with your bridge ID switch to designated paths. If you are under equal-cost path and default bridge ID, it can cause some strange paths by default so I think it is your primary consideration.
-------------------> -
ASA 5505 transparent mode dosnt pass traffic
Hi all
need help
ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?
ciscoasa # sh ver
Cisco Adaptive Security Appliance Version 8.2 software (5)
Version 6.4 Device Manager (5)
Updated Saturday, May 20, 11 16:00 by manufacturers
System image file is "disk0: / asa825 - k8.bin.
The configuration file to the startup was "startup-config '.
ciscoasa until 55 minutes 31 seconds
Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
Internal ATA Compact Flash, 128 MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB
Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)
Start firmware: CN1000-MC-BOOT - 2.00
SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05
0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11
1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255
2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255
3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255
4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255
5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255
6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255
7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255
8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255
9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255
10: Int: not used: irq 255
11: Int: not used: irq 255
The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 3, restricted DMZ
Internal guests: 10
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
SSL VPN peers: 2
The VPN peers total: 10
Double ISP: disabled
Junction ports VLAN: 0
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled
This platform includes a basic license.
Registry configuration is 0x1
Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012
ciscoasa #.
ciscoasa #.
ciscoasa # sh run
: Saved
:
ASA Version 8.2 (5)
!
transparent firewall
ciscoasa hostname
activate 8eeGnt0NEFObbH6U encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
I haventerface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
security-level 0
!
passive FTP mode
outs_in of access allowed any ip an extended list
outs_in list extended access permit icmp any one
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no ip address
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
outs_in access to the interface inside group
Access-group outs_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e
: end
ciscoasa #.
ciscoasa #.
ciscoasa #.
ciscoasa # sh - access list
access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied
alert interval 300
outs_in list of access; 2 elements; hash name: 0xd6c65ba5
permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842
allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5
ciscoasa #.
Hello
Exactly... Good to know it works now.
Do you know why he needs the IP address (such as a transparent firewall)?
The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.
We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.
Please check the question as answered, so future users can pull of this
Julio Carvajal
Costa Rica
-
Traffic is not through the JOINT-2 module in 6509
Hello
I have a similar issue when you set up the JOINT-2 in inline mode. My scenario is that I want to deploy mode inline JOINT-2 between two VLANs (vlan 20 and vlan 30). When traffic to vlan 20 vlan 30 and vice versa so I should be spending applied the JOINT-2. I have configured the module time unit (6500 and JOINT-2) according to the cisco configuration guide, but unfortunately it does not work. I don't get the newspaper in the action of JOINT-2 configured on JOINT-2.
For information and review, I enclose all the config with the snapshots of the IDM.
config on 6509 switch:
intrusion detection module 1 management access port - vlan 90
intrusion detection module 1 data-1 access port - vlan 20
intrusion detection module 1 data-2 access port - vlan 30
int vlan 20
10.20.1.1 Add IP 255.255.255.0
int vlan 30
10.30.1.1 Add IP 255.255.255.0
int vlan 90
10.90.1.1 Add IP 255.255.255.0
Please advise.
Thank you
Aman
JOINT is a connection device
You have configured a different IP subnet on two interfaces VLAN level 3. You must have the same IP subnet on two VLANs (inside the JOINT and METHOD) outside.
Normally, you will have a layer 3 VLAN for the first VLAN and the second VIRTUAL LAN will not all layer 3 VIRTUAL LAN interfaces, and this is where you put your servers. Traffic would be as such:
Server 10.20.1.2 (default gateway 10.20.1.1) - VLAN 30 - JOINT - VLAN 20 - SVI VLAN 20 10.20.1.1
If you need to pass traffic through JOINT between two L3 Lass, you need separate L3 in two VRF Lass, and the two Lass must be in the same IP subnet.
-
GANYMEDE + traffic over the public Internet
Hi all
We have the network devices that do not have intranet/VPN connections on internal Central GANYMEDE + servers behind firewalls corp, I wonder what an acceptable practice to send the traffic of GANYMEDE + on the public Internet? GANYMEDE + payload is encrypted, but the attacker can always say that a package is the package GANYMEDE + with a sniffer.
Thank you
GANYMEDE servers + are available from Internet sources? (basically, it's a combination of if there is a static address for GANYMEDE servers + public address translation, and whether it is on the firewall devices Internet access policies to initiate traffic to the servers GANYMEDE +). If the answer to any of these conditions, it is not, there is no point in considering the possibility of sending the traffic of GANYMEDE + on the Internet because it would not succeed. If these conditions are met, then the traffic GANYMEDE + could be transmitted.
And if the traffic could be passed then it becomes a question of what the company towards risk Internet access. The good news is that GANYMEDE data + encrypted so an attacker will not observe the data ID or password of the user. But the bad news is that you have now opened an attack vector to critical network devices. Only one person knowing the business position risk can determine if the benefit of GANYMEDE + for remote sites is worth the risk.
HTH
Rick
Maybe you are looking for
-
None of the keyframes in the 3D titling
Why is there no keyframes in the 3D titling in FCPX?
-
Hello I am considering the purchase of a new laptop (Toshiba Satellite U920t). Does anyone know, if it is consistent with recent distributions of linux (Ubuntu-based)? Is it possible to find the detailed material (model wifi, BT model,...), which can
-
record sizes of default windows in El Capitan
Once you have opened a file Excel to the size you like how do you get it to "remember" that the size of the next time that you open the program. It's frustrating to have to resize each time that the programs opens. Thank you!
-
Printer drivers for Windows 7 64 Bit.
Recently installed Windows 7 64 bit on my new i7 computer. Incredibly FAST. I use the Autodesk REVIT 3D construction modeling program. Make a model of quality higher on my old core 2 duo would take almost an hour. With the 64 bit on i7 with
-
Where is the serial number on my coming 11 Pro (Atom - Trail Bay)
Where can I find the serial number on my VP11 real? I checked under the rear cover and see nothing with "s/n" in front or at the end. The serial number begins with certain letters or numbers?