PIX configuration as a blocking device w / GANYMEDE + authentication

Hello

I have a PIX running version 6.3 (1). The PIX is configured to use a Server 3.1 CSACS AAA authentication and authorization more GANYMEDE +. The sensor is 2.0000 Sig46 running.

Before adding AAA for the PIX, the sensor has been able to connect and set up to Shun correctly. Since the addition of the configuration of the AAA for the PIX, I was unable to get the sensor to connect to the PIX for fleeing.

I created a login and password with rights admin for the IDS sensor connect to create leaks. I could authenticate and build manually fled via a Telnet and SSH connection using this connection. I tried to remove and re-add lock several times.

When I configure the PIX as a blocking Telnet device, I see the State of the Net as "initializing" device when you look at the statistics of the IDM. When I configure the PIX as a SSH blocking device-, I consider the State as "inactive".

Please let me know if you have any suggestions - if not I guess I will open a case with TAC. Thanks in advance for the help!

Kind regards

Chad

Make sure the PIX is in the list of allowed hosts. From the cli, type

end of config

SSH - key host (ip interface pix)

Check that you have associated the pix of polarity

logical device. The logical device record contains the username,

password password and activate. Using IDM, it is selected in a

drop-down list on the page of blocking devices.

Tags: Cisco Security

Similar Questions

  • I get a popup that says no audio device imput found. Make sure that your audio hardware is workingand check your audio configuration in the audio device and sound themes control anel

    I get a popup that says that no sound device imput is to make sure that your audio hardware works and check your audio configuration in the audio device and sound control panel themes

    Hello

    1. what operating system is installed on the computer?

    2. when exactly you receive this pop up?

    3. able to play sounds using Windows Media Player?

    Please provide more information on the issue so that we can better help you.

    In the meantime, try the troubleshooting provided in the link below steps to solve the problem.

    No sound in Windows

    http://Windows.Microsoft.com/en-us/Windows/help/no-sound-in-Windows

  • I get this message - your computer seems to be configured correctly, but the device or resource (DNS server) is not responding)

    Hello

    My computer is stuggling to access internet, I get this message - your computer seems to be configured correctly, but the device or resource (DNS server) is not responding).  All the other computers in my house are connected without difficulty.  Any suggestions?

    Thank you

    I solved the problem.  When my router lost power, somehow the addresses changed if the IP address of the Dell Wireless computer is no longer fell in the pool of addresses maintained by the router.  When I've reconfigured by router and had released and renewed my IP on the Dell computer, everything started working again.

    Thanks for your help!

  • How to restore the configuration in new FireSIGHT (device RMA)?

    How to restore the configuration in new FireSIGHT (device RMA)?

    FireSIGHT need new license again or not?

    Licenses are issues associated with the license key of the management FireSIGHT pole. The key is a combination of the type platform (model) and the MAC address of the server.

    So, Yes, you will need more reissued. The case of the TAC which obtained you the RMA can serve as the basis for a request to the team of licensing for the reissue.

  • Failure of GBA 4.2 GANYMEDE + authentic. Incompatibility of keys

    I have configured 10 switches(C3750-ADVIPSERVICESK9-M) of layer 2, Version 12.2 (40) SE), use GANYMEDE +. They are all using the same key and work correctly.  I went to another switch 3750 located through a point-to-point circuit, software C3750 Cisco (C3750-IPBASEK9-M), Version 12.2 (35) SE5. I entered the configuration routine and then entered the key and tried to connect as a user and get authentication failed. I checked the server and see key discrepancies in the reports and activity, the attempt failed.  I've removed the key, copied and pasted from Notepad, still does not work.  Removed the switch in the network device group ACS and then re - he added, stuck a new key, without special characters. No go.

    Here is the config.

    AAA new-model
    !
    !
    AAA of default login authentication group Ganymede + activate
    local NO_AAA AAA authentication login
    the AAA authentication enable default group Ganymede + activate
    AAA authorization exec default group Ganymede + authenticated if

    Ganymede IP source interface FastEthernet0/0

    GANYMEDE-server host 10.1.1.1
    RADIUS-server key 0 itspassword
    RADIUS-server application made

    Initially, the password is encrypted, so I changed it to erase the text by typing the password without the 0 and with 0.  None worked.  Also removed encryption service to see if that would do anything.

    I usually have SSH for router, so I changed it to accept telent.  That did not work.  Changed SSH, reset the rsa keys and modified so that it uses SSH2, which did not work.

    Here's what I get from newspapers

    August 12 at 11:43:24: TAC +: send worm package AUTHENTIC/START = 192 id = 97563278
    August 12 at 11:43:24: TAC +: using Ganymede server-group "Ganymede +" list by default.
    August 12 at 11:43:24: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
    August 12 at 11:43:24: TAC +: handle opened TCP/IP 0x3663CA0 to 10.219.1.1/49 using the 10.2.2.254 source
    August 12 at 11:43:24: TAC +: 10.1.1.1 (97563278) AUTHENTIC/START/CONNECTION/ASCII queued
    August 12 at 11:43:25: TAC +: (97563278) AUTHENTIC/START/CONNECTION/ASCII processed
    August 12 at 11:43:25: TAC +: received bad AUTHENTIC package: length = 6, should 80467
    August 12 at 11:43:25: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
    August 12 at 11:43:25: TAC +: connection TCP/IP closing 0x3663CA0 to 10.1.1.1/49
    August 12 at 11:43:25: TAC +: using Ganymede server-group "Ganymede +" list by default.
    August 12 at 11:43:37: TAC +: send worm package AUTHENTIC/START = 192 id = 1015854339
    August 12 at 11:43:37: TAC +: using Ganymede server-group "Ganymede +" list by default.
    August 12 at 11:43:37: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
    August 12 at 11:43:37: TAC +: handle opened TCP/IP 0x366AF24 to 10.1.1.1/49 using the 10.2.2.254 source
    August 12 at 11:43:37: TAC +: 10.1.1.1 (1015854339) AUTHENTIC/START/CONNECTION/ASCII queued
    August 12 at 11:43:38: TAC +: (1015854339) AUTHENTIC/START/CONNECTION/ASCII processed
    August 12 at 11:43:38: TAC +: received bad AUTHENTIC package: length = 6, should 79092
    August 12 at 11:43:38: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
    August 12 at 11:43:38: TAC +: connection TCP/IP closing 0x366AF24 to 10.1.1.1/49
    August 12 at 11:43:38: TAC +: using Ganymede server-group "Ganymede +" list by default.

    I watched autour forum for about 4 hours, try all other options that were given to other people with a similar problem.  The last key, in that I put has 123456.  You can not fat finger that is.  Switch journal said check the key, the firewall is configured to allow all traffic from the AAA client.

    Hi green2003 mg,.

    The substitution of key group (the NDG where your switch belongs to) the button. Have you checked that one?

    Greetz,

    Julia

  • How to configure my Apple Watch for step 2 authentication?

    Of this article, it is unclear how to activate my Apple Watch zu receive 2 step authentication codes. There are no settings on my Apple Watch iCloud, so how do I enable authentication step 2 on my Apple Watch?

    See this - configure your devices to use authentication to two factors - Apple Support. Note, you need to connect, go to settings to iCloud on each device you want active 2FA.

    On the Apple Watch, the only want to disconnect is by disconnecting completely off on the iPhone connected iCloud, and only then can you connect again through the app shows on your iPhone.

    Here is another article to help you with the process as well - http://9to5mac.com/2016/03/22/how-to-enable-two-factor-authentication-on-ios-9-a nd-os-x-el-capitan / #comments

    Hope that helps!

  • RADIUS and GANYMEDE + authentication

    We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.

    Can someone give me a pointer?

    Thank you

    You need to put in place once the authentication on the switch.

    AAA authentication login default group local Ganymede

    Group AAA dot1x default authentication RADIUS

    AAA authorization exec default group Ganymede + authenticated if

    Group AAA authorization network default RADIUS

    Cisco RADIUS-server host 2.2.2.2 keys

    Cisco GANYMEDE-server host 2.2.2.2 keys

    The GBA, you must add the switch twice.

    ACS---> network configuration---> add aaa-clinet

    Host name switch1

    IP: 3.3.3.3

    With the help of authentic: RADIUS IETF

    Add another switch

    SWITCH2 host name

    IP: 3.3.3.3

    With the help of authentic: Ganymede +.

    Kind regards

    ~ JG

    Note the useful messages

  • GANYMEDE + authentication on Juniper screen OS using ACS 5.3

    GANYMEDE authentication and authorization passed on ACS5.3, but enter username and password security (Juniper SSG5) gives access denied, joined Ganymede cfg.

    the value id GANYMEDE + auth-server 1

    Set-server GANYMEDE + 10.10.xx.yy server name

    put server GANYMEDE +-type of admin account

    Set-server GANYMEDE + type Ganymede

    Set-server GANYMEDE + secret Ganymede xxxx

    the value auth-server GANYMEDE + Ganymede port 49

    the admin server GANYMEDE value +.

    Set admin auth distance primary

    Remote admin auth root set

    Set admin privilege get set external auth-server GANYMEDE + id 1
    Set-server GANYMEDE + 10.10.xx.yy server name
    put server GANYMEDE +-type of admin account
    Set-server GANYMEDE + type Ganymede
    Set-server GANYMEDE + secret Ganymede xxxx
    the value auth-server GANYMEDE + Ganymede port 49
    the admin server GANYMEDE value +.
    Set admin auth distance primary
    Remote admin auth root set
    define outer-get administrator privileges

    Please advice

    I guess you posted a screenshot. I'm looking forward to having the file can be downloaded for analysis.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Error adding a blocking device (PIX)

    Hello!

    Thanks for the quick response.

    Now, I get the following error when I try to add a blocking for my IDS sensor device:

    Error: peripheral Net done errNotFound refers to a configuration of device of shun record that does not exist. Update of the configuration attempt was rejected. [0.3]

    No idea why this error?

    The sensor knows the firewall IP, username, the enable password and the password for remote access. SSH is enabled on the firewall. I tried to add the firewall as a trusted host, but I get the error:

    Error: socket connection failed [4 111]

    Any help would be appreciated. Thank you!

    Bercy

    I guess it's a sensor of version 4.0 or 4.1?

    So then the first error "Error: device Net done errNotFound refers to a configuration of device of shun record that does not exist." Update of the configuration attempt was rejected. [0.3]"is easy enough to explain.

    The information of user name and password are configured as a "configuration of the device shun' give you it your own name made.

    Then when you add in the Pix as a device to manage you adress exactly your configuration of the device previously created "shun" (the name you made up).

    Not quite sure what the second mistake is.

    I suppose that you run the command:

    Configure the terminal

    SSH - key host 10.1.1.1

    (replacing with your pix address 10.1.1.1)

    It will establish a ssh connection to your pix and

    display the server's key. You must accept the key if it is correct.

    If you do not accept the key NAC won't be able to connect to the Pix using SSH.

    NOTE: The Pix may also need to be configured to accept connections from the ssh probe.

  • RAC on EMC block devices

    I finished installing a 11g RAC on RHELv5 using block of EMC for storage devices.
    During installation I partitioned the drive and changed ownership in oracle: dba

    However, whenever I restart the server, the property features block is returned back to the root and therefore CRS fails to come. So I end up doing a manual change ownership and permission to bring up the CRS, ASM and, finally, the database.

    Is it possible, can I automate this?

    Thanks in advance.

    You can configure this in udev permissnion file. In OEL5, it looks like:

    [root@rick oracle]# tail -8 /etc/udev/rules.d/50-udev.rules
KERNEL=="sdb1", OWNER="root", GROUP="oinstall", MODE="640"
KERNEL=="sdc1", OWNER="oracle", GROUP="oinstall", MODE="640"
KERNEL=="sdd1", OWNER="oracle", GROUP="dba", MODE="640"
KERNEL=="sde1", OWNER="oracle", GROUP="dba", MODE="640"
KERNEL=="sdf1", OWNER="oracle", GROUP="dba", MODE="640"
KERNEL=="sdg1", OWNER="oracle", GROUP="dba", MODE="640"

  • Push not configurable Message after a device reboot java BB

    Hi all

    I joined the BlackBerry push notification successfully in my application of the Sub http://supportforums.blackberry.com/t5/BlackBerry-Push-Development/Simplified-BIS-Push-client-sample...url. Here again successfully able to get push until you restart the device notification, after restarting the device I can't able to get push notification.

    Note: I put the other entry point, checked the "-autorun at startup" and my main method is as below

     if (args != null && args.length > 0 && args[0].equals("autostart")) {
             // auto start, wait for OS
            while (ApplicationManager.getApplicationManager().inStartup()) {
               try {
                Thread.sleep(10000);
            } catch (InterruptedException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
            }

            PushAgent agent = new PushAgent();
            agent.register();
            agent.enterEventDispatcher();

        } else {

                        theApp = new MyApp();
            theApp.enterEventDispatcher();

        }

    Is I used something wrong or I have to put in any other place?

    Thanks @gbeukeboom. Finally, I found the solution from this link. http://rincethomas.blogspot.in/2012/07/push-notification-in-BlackBerry.html

  • Backup and managing configurations on ONS 15454 devices

    We have a lot of ONS 15454 and CiscoWorks LMS 4 apparently does not support these devices (I can't pick the cards ML1000 configurations or configs of chassis).

    Can I save the configurations of the STC cards/chassis using the CTC? I see a backup option of database under maintenance contract, but I'm not entirely of this make. Basically, I want to assure you that if one of these devices suffers a hardware failure, I have backups of the way in which the circuits are provided.

    Is there a better tool to use?

    Any advice would be great

    For nodes to backup through the CTC, the Cisco ONS 15454 procedure Guides describe the steps to be taken to save the nodes (section below the latest version is:)

    Cisco Transport Manager is a management system of item available for the largest optical networks and has features to back up the databases of several nodes.

    =========

    NTP-A108 back up the database

    Goal

    This procedure saves a backup version of the TCC2/TCC2P (software) database on the workstation running Cisco transport (CTC) controller or a network server.

    Tools/equipment

    None

    Pre-trial proceedings

    None

    Required / have required

    Mandatory. Cisco recommends to perform a backup of database at intervals of about a week and before and after configuration changes.

    Onsite / remote

    On-site or remotely

    Security level

    Maintenance or higher

    Note You need to back up and restore the database for each node on a path of the circuit in order to maintain a complete circuit.

    Note The following settings are not backed up and restored: node name and Internet Inter - ORB Protocol (IIOP) port. If you change the name of the node and restore a backup of a database with a different node name, the circuits map to the new node name. Cisco recommends keeping a record of the old and new node names.

    Step 1 Complete the "DLP-A60 Log into CTC" task at the node that you want to back up. If you are already connected, go to step 2.

    Step 2 Click it maintenance > Database tabs.

    Step 3 Click on backup.

    Step 4 Save the database on the hard drive of the workstation or network storage. Use a file name with the extension of .db file. for example, database.db.

    Step 5 Click Save.

    Step 6 Click OK in the confirmation dialog box.

    Stop. You have completed this procedure.

  • Can Cisco 1041N WAP be configured as a standalone device

    I'm on a remote site, and we've been futzing with configuration it's WAP site.  But it is looking as if it was

    intended to be used in conjunction with a central controller.  Is it possible to operate it as a stand-alone

    device as the old 1200 (miss me a lot lately).

    According to the Cisco Software Download Center, you can load independent IOS in the AP 1040.

    Products
    Wireless
    Access point
    Cisco Aironet 1040 Series
    Cisco Aironet 1040 Series access point
    IOS Software

    Follow the procedure below to convert the CAPWAP AP to standalone IOS.

    By using a TFTP server to revert to a previous version

  • The network configured GBA 4.2 device report

    I'm trying to shoot the report of all devices in the network configured in ACS. But I'm not able to pull it, can someone let me know how to extract the network devices configured in the device of the ACS.

    If I understand the question, you want to export the AAA clients / network devices. You can get the aaa clients/devices information in excel sheet at the bottom of the steps:

    Go to network setup > Search > maintains the search that is default parameter to search the entire. Press search. There will be a 'Download' option that will appear in the left corner of the search results. Click on save this list.

    This list will include,

    -Name

    -IP address

    -Type

    -Name NDG (if applicable)

    NOTE: this will not contain customer AAA Shared Secret keys have been configured with.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • My 506th Pix configuration

    How can I set up the following scenario. My Pix is separate internal and external network. For outgoing, I will not allow that the associated HTTP traffic. There will be no incoming traffic. For simplicity, I use ver3 PDM to configure my 506th Pix. Should be easy to set up, I thought.

    On my access rules, I allowed http and https on the inside and outside interfaces nameserver. Translation rules, I have set up NAT using a real IP on the external interface range. I have not used just in case PAT H323.

    However, the configuration above does not work. I can't any http my internal network traffic. What Miss me?

    Thanks for your help,

    FTM

    It would seem that you define the rules that indicate the source AND destination must be the same:

    inside_access_in list of access permit udp any eq field any eq field

    inside_access_in list access permit udp any eq ntp ntp any eq

    inside_access_in list access permit udp any eq name server any eq nameserver

    inside_access_in tcp allowed access list any domain eq any eq field

    inside_access_in tcp allowed access list all eq www all eq www

    inside_access_in list of permitted tcp access any https eq all https eq

    You need change that, because the source is probably going to be 1024 or greater. Try something like this:

    inside_access_in list of access permit udp any any eq field

    inside_access_in list of access permit udp any any eq ntp

    inside_access_in list access permit udp any any eq name server

    inside_access_in list access permit tcp any any eq field

    inside_access_in list access permit tcp any any eq www

    inside_access_in tcp allowed access list everything all https eq

    inside_access_in access to the interface inside group

    Having said that allow any source ip/source port access to any IP destination as long as it is for www, dns, ssl, etc...

    Your acl_web access list is not used, because it is not assigned to an interface. Remember that each interface can have only one acl.

    Also, you said that you do not PAT...

    Global (outside) 1 xxx.xxx.YYY.54 - xxx.xxx.YYY.55 netmask 255.255.255.0

    Global 1 xxx.xxx.YYY.53 (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    This tells the firewall to use the range xxx.xxx.YYY.54 - xxx.xxx.YYY.55 for the assignment of an address, but when he runs, start PAT'ng with xxx.xxx.YYY.53...

    hope this helps

Maybe you are looking for