IOS transparent firewall
Hello
I am trying to configure transparent firewall IOS on a box of 2600 with IOS 12.4 (1), following the guide available.
FastEthernet 0/0 - internal IP address 10.0.0.1
FastEthernet 0/1 - external, no IP address
Both belong to the same bridge Group 1, and 'show the bridge group' shows that they both be "transmission".
A laptop is attached to the external interface for the test (with the LAN IP address), and I can ping the box from Cisco if I add an IP address to the external interface.
However, bypass surgery doesn't seem to work. I am trying to ping address of the laptop and I see no replies to ARP requests. 'the bridge' displays of the router knows the MAC of the laptop, but didn't bother to respond to ARP requests. Any ideas?
I apply no access list for now, until I do Bridge works.
Thank you
Andrey
I've never set it before, but read a doc about it shows this:
From:
http://www.Cisco.com/en/us/products/SW/iosswrel/ps5207/products_feature_guide09186a00801ee193.html
BVI system requirements
If a BVI is not configured, you must disable the Routing IP (via the no ip Routing command) for the transition operation is taken into account.
If configured, a BVI must be configured with an IP address on the same subnet.
You must configure a BVI if more than two interfaces are placed in a bridge group.
The doc, it seems you must use a BVI-config and not put an IP address on the FastEthernet interface if you have a router functionality as well into the bridge group.
Tags: Cisco Security
Similar Questions
-
Redundancy for transparent firewall IOS
One way to implement redundancy in IOS (12.3.7.T) transparent firewall?
If this isn't the case, is that it works with PIX 7.0 with failover?
Thank you
No and no. No mechanism for failover in FW IOS and two code bases are independent of each other so that they work together as a failover pair. You will need two PIX to failover.
I hope this helps.
Scott
-
Does PIX firewall support Transparent fashion?
Not currently for the PIX device, but it's on the roadmap. FWSM 2.1 code (expected in December ' 03) will support this feature.
Scott
-
Hi experts.
What are the impacts (positive and negative) of the replacement of the architecture of network with a firewall of layer 3 for an architecture with a layer 2 of the corporate network firewall? Have I not the same level of security?
Concerning
Wesley
Visit this link for more information.
-
Implementing Cisco 2901 as a Transparent IOS IPS (like IOS Transparent firewall)-
Search guides to depth for Transparent IOS IPS configuration - all links to examples of relevant literature worked would be appreciated thanks
Will use the bridge Group's management CLI or Cisco Configuration Professional (CCP) arrive at the IPS IOS Transparent.
http://www.Cisco.com/c/en/us/TD/docs/iOS/security/configuration/guide/12...
http://www.Cisco.com/c/en/us/products/collateral/security/iOS-firewall/p...
-
ASA 5505 Firewall Transparent with a Server Web Question
I need to replace my Sonicwall firewall and I got an ASA 5505. However, I need to have a transparent firewall, no Natting and Server Web will have a public IP with relevant ports remains open.
The simple illustration is the Internet---> firewall Transparent - Web Server (With public IP Address)
1. There should be no natting
2. the web server must have a public IP address and be accessible from the internet.
3 ports can be blocked or re-opened.
Please let me know if its possible to conclude this agreement.
If so, can I get a command line sequence that allows this work.
My version is
Cisco Adaptive Security Appliance Software Version 4,0000 5
Version 6.4 Device Manager (9)
Thanks in advance
Post edited by: Don Charles
It is a minimum configuration for your needs (runs on ASA 5520).
!
transparent firewall
!
interface GigabitEthernet0
Description - the Internet-
nameif outside
Bridge-Group 1
security-level 0
!
!
interface GigabitEthernet3
Description - connected to the LAN-
nameif inside
Bridge-Group 1
security-level 100
!
!interface BVI1
Description - for management only-
IP 10.1.10.1 255.255.255.0
!!
network of the WWW-SERVER-OBJ object
Description - webserver-
host 123.123.123.123!
!
WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group
Description - Serices published on the WEB server-
port-object eq www
EQ object of the https port
!
!
OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
!
Access-group OUTSIDE-IN-ACL in interface outside
!Samuel Petrescu
-
As a transparent (bypass) PIX firewall?
I'm doing a school project that involves the use of a firewall PIX between the ISP and the edge of the network router. The goal is to make the network as secure as possible using only the PIX. Ideally, I'd like that it if an attacker could not even see the PIX was there. It made me think if the PIX can act as a transparent firewall, otherwise said, not having all the IPS assigned to the interfaces nor do no routing, simply inspect/forward traffic between inside/outside interface. Otherwise, I'll have to create a small 30 between the ISP and the PIX from the outside, and the border router and the route PIX inside and between them.
If I do the latter, can you give me advice on how to secure more PIX? Here is my config:
interface ethernet0 10full
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password encrypted x
passwd encrypted x
pixfirewall hostname
domain pix.local
fixup protocol dns-length maximum 512
No fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 100 permit icmp any any echo response
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP 10.0.0.1 address outside 255.255.255.252
IP address inside 10.0.0.5 255.255.255.252
IP verify reverse path to the outside interface
IP verify reverse path inside interface
IP audit name AttackPolicy attack action alarm down reset
IP audit name InfoPolicy info action alarm down reset
verification of IP outside the InfoPolicy interface
interface IP outside the AttackPolicy check
verification of IP within the InfoPolicy interface
verification of IP within the AttackPolicy interface
disable signing verification IP 2000
disable signing verification IP 2004
don't allow no history of pdm
ARP timeout 14400
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet timeout 5
SSH timeout 5
Console timeout 5
Terminal width 80
Any help is appreciated! Thank you!
Chris
The PIX can now act as a layer 2 firewall, this feature will be in the next major version of the code should be out later this year. For now you will need a small subnet between the ISP and the PIX.
If you do not want to see the PIX then the first thing is to make sure it does not meet the pings. Use the "icmp" command (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574) for. Make sure you allow ICMP unreachable to the outside interface well and Path MTU Discovery can work properly (http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail).
Other than that, it seems very good, pretty standard.
-
ASA 5505 transparent mode dosnt pass traffic
Hi all
need help
ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?
ciscoasa # sh ver
Cisco Adaptive Security Appliance Version 8.2 software (5)
Version 6.4 Device Manager (5)
Updated Saturday, May 20, 11 16:00 by manufacturers
System image file is "disk0: / asa825 - k8.bin.
The configuration file to the startup was "startup-config '.
ciscoasa until 55 minutes 31 seconds
Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
Internal ATA Compact Flash, 128 MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB
Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)
Start firmware: CN1000-MC-BOOT - 2.00
SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05
0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11
1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255
2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255
3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255
4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255
5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255
6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255
7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255
8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255
9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255
10: Int: not used: irq 255
11: Int: not used: irq 255
The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 3, restricted DMZ
Internal guests: 10
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
SSL VPN peers: 2
The VPN peers total: 10
Double ISP: disabled
Junction ports VLAN: 0
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled
This platform includes a basic license.
Registry configuration is 0x1
Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012
ciscoasa #.
ciscoasa #.
ciscoasa # sh run
: Saved
:
ASA Version 8.2 (5)
!
transparent firewall
ciscoasa hostname
activate 8eeGnt0NEFObbH6U encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
I haventerface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
security-level 0
!
passive FTP mode
outs_in of access allowed any ip an extended list
outs_in list extended access permit icmp any one
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no ip address
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
outs_in access to the interface inside group
Access-group outs_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e
: end
ciscoasa #.
ciscoasa #.
ciscoasa #.
ciscoasa # sh - access list
access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied
alert interval 300
outs_in list of access; 2 elements; hash name: 0xd6c65ba5
permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842
allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5
ciscoasa #.
Hello
Exactly... Good to know it works now.
Do you know why he needs the IP address (such as a transparent firewall)?
The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.
We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.
Please check the question as answered, so future users can pull of this
Julio Carvajal
Costa Rica
-
transparent mode with AIP-SSM-20
I currently have an ASA5510 routed with AIP-SSM-20 mode.
It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE. This section should present no problems.
However, this will remove the IPS device, and I always want to use IPS.
So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network. The ASA transparent would be strictly works in the form of an IPS appliance.
The installation program should look like this:
Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN
The AIP - SSM can always perform with the ASA in transparent mode IPS?
Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?
I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.
Kind regards.
AFAIR, it is no installation AIP in a transparent firewall problem.
"The SAA in transparent mode can execute an agreement in principle. In the event that the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744
What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.
http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html
HTH,
Marcin
-
IPSEC VPN site to site on Transparent mode
Hello
The new version of the OS of the SAA does support IPSEC site-to-site VPN for partners on more Transparent?
Thank you very much
Kind regards
J
The transparent firewall supports for connections to management only site-to-site VPN tunnels. It doesn't end of VPN connections for traffic through the ASA. You can pass through the ASA VPN traffic using a more extended access list, but it fails to complete connections not frames. Clientless SSL VPN is also not supported.
-
The switch configuration of 6500 catalyst for IPS Inline the METHOD works
I understand how to configure the switch Catalyst 6500 so that the monitoring of ports are access ports in two VLAN separate operation online.
However, I don't see any document that describes how the desired VLAN traffic gets forced through the IPS.
"Promiscuous" mode, you can use copy/capture VACL and forwards traffic wished the METHOD of analysis. I don't see how to get traffic desired through the IPS.
Note that the 6500 host is running native SXE IOS 12.2 (18).
Thanks for any help.
A transparent firewall is a pretty good comparison.
Say you have vlan 10 with 100 PCs and 1 router for the network.
If you want to apply a transparent firewall on this vlan you can put not just the Firewall interface on vlan 10. Nothing would go through the firewall.
Instead, you need to create a new vlan, say 1010. Now you place the Firewall interface on vlan 10 and the other on the vlan 1010. Nothing is still going through the firewall. So now move you that router from vlan 10 to vlan 1010. Everything you do is to change the vlan, IP address and the mask of the router remain the same.
The firewall transparent bridge vlan 10 and vlan 1010. The SCP on the vlan 10 ae is able to communicate and through the router, but must go through the transparent firewall to do.
The firewall is transparent because there no IP Route between 2 VLANS, instead, the same IP subnet is on the VLAN and the transparent firewall ensuring the beidges between the 2 VLANS.
The transparent firewall can do firewall between the SCP on the vlan 10 and the router on vlan 1010. But PC has vlan 10 talks for PC B on vlan 10, then the transparent firewall does not see and cannot block this traffic.
An InLine sensor is very similar to the transparent firewall and will fill between the 2 VLANS. And similarly an InLine sensor is able to monitor InLine between PCs traffic on vlan 10 and the router on vlan 1010, but will not be able to monitor the traffic between 2 PCs on vlan 10.
Now the PC on the other vlan and the router on a virtual LAN is a classic deployment for the sensors online, but your VLAN need not be divided in this way. You can choose to place some servers in one vlan and desktop to another vlan. You subdivide them VLAN to whatever the logical method for your deployment.
Now for the surveillance of several VLANs the same principle still applies. You can't control traffic between machines on the same vlan. So for each the VLAN that you want to analyze, you will need to create a new vlan and divide the machines between the 2 VLANS.
In your case with Native IOS, you are limited to only 1 pair of VLAN for InLine followed, but your desired deployment would require 20 pairs of vlan.
The IPS 5.1 software now has the ability to manage the 20 pairs, but the native IOS software doesn't have the ability to send the 40 VLAN (20 pairs) to the JOINT-2.
Changes in native IOS are in testing right now, but I have not heard a release date for these changes.
Now cat BONES has already made these changes. So here is a breakdown of basic of what you could do in the BONE of cat and you can use to prepare for a deployment native IOS when it came out.
For VLAN 10-20 and 300-310, you want monitored, you will need to break each of those VLANs in VLAN 2.
Let's say that keep us it simple and add 500 to each vlan in order to create the new VLAN for each pair.
Therefore, the following pairs:
10/510, 511/11, 12/512, etc...
300/800, 801/301, 302/802, etc...
You configure the port to probe trunk all 40 VLAN:
set the trunk 5/7 10-20 300-310 510-520 800-810
(And then clear all other vlans off this trunk to clean things up)
In the configuration of JOINT-2 create the 20 pairs of vlan inline on interface GigabitEthernet0/7
NW on each of VLAN original 20 leave the default router for each LAN virtual vlan original to the vlan 500 +.
At this point, you should be good to go. The JOINT-2 will not track traffic that remains inside each of the 20 VLAN original, but would monitor the traffic is routed in and out of each of the 20 VLAN.
Due to a bug of switch, you may need to have an extra PC moved to the same vlan as the router if the switch/MSFC is used as the router and that you deploy with a JOINT-2.
-
Block the specific IP traffic in ASA 5505
Hi, we have an ASA 5505 in transparent mode and run a web service online. However, we notice a number of attempts to intrution from China and Korea and we need to block these IP traffic can anyone help please?
config script is
transparent firewall
hostname xxyyASA
Select msi14F/SlH4ZLjHH of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Description - the Internet-
switchport access vlan 2
!
interface Ethernet0/1
Description - connected to the LAN-
!
interface Ethernet0/2
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
Bridge-Group 1
security-level 100
!
interface Vlan2
nameif outside
Bridge-Group 1
security-level 0
!
interface BVI1
Description - for management only-
IP address xxx.yyy.zzz.uuu 255.255.xxx.yyy
!
passive FTP mode
network of the WWW-SERVER-OBJ object
Home xxx.yyy.zzz.jjj
Description - webserver-
WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group
Description - Services published on the WEB server-
WWW-SERVER-SERVICES-UDP-OBJ udp service object-group
Description - Services published on the WEB server - UDP
Beach of port-object 221 225
1719-1740 object-port Beach
OUTSIDE-IN-ACL scope tcp access list deny any any eq 3306
OUTSIDE-IN-ACL scope tcp access list deny any any eq telnet
OUTSIDE-IN-ACL scopes allowed icmp an entire access list
OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
access list OUTSIDE-IN-ACL scopes permit tcp host xxx.yyy.zzz.uuu object WWW-SERVER-OBJ eq 3306
OUTSIDE-IN-ACL scopes permitted udp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ
We need to block access of host say 64.15.152.208
Just need the best step to follow and block access, without affecting the service or other host
Thank you
Insert a line like:
OUTSIDE-IN-ACL scope access list deny host ip 64.15.152.208 all
in front of your 3rd line "... to enable icmp a whole."
If you have many of them, maybe do:
object-group network blacklist
host of the object-Network 64.15.152.208
network-host another.bad.ip.here object
object-network entire.dubious.subnet.here 255.255.255.0
...
OUTSIDE-IN-ACL scope object-group BLACKLIST ip deny access list all
If you want to take in scores of reputation on the outside, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.
Note that fleeing bad hosts help with targeted attacks, but not with denial of service; only, he moves to point decline since the application for the firewall server, without much effect on the net on your uplink bandwidth consumption.
-Jim Leinweber, WI State Lab of hygiene
-
Hi all
Is there anyway that I can balance workloads on both routers.
I have an ASA with two attached routers each router has two instances of HSRP runs on each with its own IP address, each router is the main for one of the instances of HSRP. If there was no ASA in the way that I would set DHCP to browse through all of the functions of server through another hey presto (of sort) load balancing. However, I can't do what the ASA has only a single internal IP address. Routers treat natting because they are on different IP ranges on different Internet service providers.
I can't use GLBP as the external IP evolution would break VPN RDP and SMTP connections.
Is it possible that I can make the road ASA based on the source IP address, or any other means to separate the traffic between two routers?
Thanks in advance,
Scott
You cannot route based on ip source with only firewall with router possiable by ACB
You can give each of them point to router deffrent with metric deffrent from the static routes
in this case, it will make the topology as active standby, which is not good in your case
but you can use sub interfaces on your case make the ASA NRTIs each subinterface in deffrent subnet and deffrent security level
and let each subinterface use deffrent hsrp instance
or there is another way
IF you are not using VPN on your ASA you can reach in the context of multiple
in the context of several you're going to separate your firewall virtually
so if you have two VLAN in your network (two subnets deffrent)
then each subnet use almost deffrent firewall
goona u divide the internal interface to two subinterfaces
and you can use a shred of interface between the context outside or separate for two subinterfaces
and assign these interface for each context
If you go to each context as firewall deffrent
and you can use the HSRP deffrent on each context instance
but the multiple context, you can use VPN on the firewall
Use the following method *.
The OTHER WAY THAT ALSO I have SUGIST YOU to TRY, this IS THE Transparent firewall
in the case your firewall works in L2 mode
so you can use routers in HSRP IPS AS there is no firewall in the path
which i thnk useful for you case also
in transperant mode the way to defaultgate for your customer will be the hsrp IP because the firewall will not have everything except IPs management
the useres will also be in the same IP subnet as the gateway in your case HSRP VIP
and also, you can control the security of the network through the firewall normally
try this way and let me know
See the following link for the configuration
Please, note useful
-
Hardening of the cisco devices
Hello
I'm looking for some documentation how to 'strengthen' a Cisco Cisco device. I am after those on the routers, IOS, PIX firewall, command SET switches and also IOS command switches. A search on CCEL, but did not find anything useful. Thanks in advance for your help.
IOS:
http://www.cisecurity.org/bench_cisco.html
http://www.NSA.gov/SNAC/downloads_cisco.cfm?menuid=scg10.3.1
I'm not aware of all these guides for devices os pixen or catalyst, but many of the ideas are the same (i.e. to assess who you allow admin/snmp/etc access by ip address, etc.
-
What version of PDM for PIX 6.3 (4) on a 515E?
I loaded the last PDM bin 4.1 (1) for PIX os ver 6.3 (4) but I get an error message when I try to access the new PDM:
"Cisco PDM 4.0 for FWSM does not work on PIX. Please install Cisco PDM 3.0 on your PIX"
Hmmm a Pix Device Manager which does not work on PIX? The links were wrong on the cisco.com page that pointed me to this location?
http://www.Cisco.com/cgi-bin/tablebuild.pl/PIX
Are these compatible versions?
Here's my version:
Cisco PIX Firewall Version 6.3 (4)
Cisco PIX Device Manager Version 4.1 (1)
Yes, this message is absolutely right, version 4.x PDM is just for the firewall Switch Module and is not supported by the device of PIX. FWSM supports Transparent firewall features that the PIX does not now support.
Version 3.0.2 PDM.
There will be a new PDM with the PIX OS 7.0 version in the first quarter of 2005.
sincerely
Patrick
Maybe you are looking for
-
HP Pavilion 6500: the password of admin HP Protectsmart
Hello Seem to get myself locked out. IM at the screen 'Enter administrator password or power on password'. When I enter a password three times incorectly disable the system code is 91638363. Any help would be appreciated. Concerning
-
I see in my logs [DoS attack: go Kill] source: 85.252.162.7, port 123, Monday, September 26, 2016 17:57:50[DoS attack: go Kill] source: 195.154.174.209, port 123, Monday, September 26, 2016 17:55:03 [DoS attack: RST Scan] source: 188.121.36.239, port
-
My computer is donloading all updates recommended by Microsoft Windows, but do not set up correctly and that their withdrawal all the time. The problem started on 11/13/2013. I not did something to my computer that can change the setting of my comput
-
Microsoft keeps tellingmy that my copy of Windows is not genuine!
Windows 7 Home premium 64-bit This is the same operation SystemI have had on this computer for the past 6 years, since I bought it all first! Nothing has changed! I had no repairs! There was a Windows Update yesterday and I thought that this could
-
[Envy dv6t Quad Edition laptop] Can I change my graphics card?
Laptop: HP dv6t Quad Edition Envy Proccessor: Intel 3rd gen i7 RAM: 16 GB Operating system: Windows 8 64-bit The current graphics card I have in my laptop is the Nvidia Geforce GT M 635. I was just wondering, it would be possible for me to change the