PIX configuration as a blocking device w / GANYMEDE + authentication
Hello
I have a PIX running version 6.3 (1). The PIX is configured to use a Server 3.1 CSACS AAA authentication and authorization more GANYMEDE +. The sensor is 2.0000 Sig46 running.
Before adding AAA for the PIX, the sensor has been able to connect and set up to Shun correctly. Since the addition of the configuration of the AAA for the PIX, I was unable to get the sensor to connect to the PIX for fleeing.
I created a login and password with rights admin for the IDS sensor connect to create leaks. I could authenticate and build manually fled via a Telnet and SSH connection using this connection. I tried to remove and re-add lock several times.
When I configure the PIX as a blocking Telnet device, I see the State of the Net as "initializing" device when you look at the statistics of the IDM. When I configure the PIX as a SSH blocking device-, I consider the State as "inactive".
Please let me know if you have any suggestions - if not I guess I will open a case with TAC. Thanks in advance for the help!
Kind regards
Chad
Make sure the PIX is in the list of allowed hosts. From the cli, type
end of config
SSH - key host (ip interface pix)
Check that you have associated the pix of polarity
logical device. The logical device record contains the username,
password password and activate. Using IDM, it is selected in a
drop-down list on the page of blocking devices.
Tags: Cisco Security
Similar Questions
-
I get a popup that says that no sound device imput is to make sure that your audio hardware works and check your audio configuration in the audio device and sound control panel themes
Hello
1. what operating system is installed on the computer?
2. when exactly you receive this pop up?
3. able to play sounds using Windows Media Player?
Please provide more information on the issue so that we can better help you.
In the meantime, try the troubleshooting provided in the link below steps to solve the problem.
No sound in Windows
http://Windows.Microsoft.com/en-us/Windows/help/no-sound-in-Windows
-
Hello
My computer is stuggling to access internet, I get this message - your computer seems to be configured correctly, but the device or resource (DNS server) is not responding). All the other computers in my house are connected without difficulty. Any suggestions?
Thank you
I solved the problem. When my router lost power, somehow the addresses changed if the IP address of the Dell Wireless computer is no longer fell in the pool of addresses maintained by the router. When I've reconfigured by router and had released and renewed my IP on the Dell computer, everything started working again.
Thanks for your help!
-
How to restore the configuration in new FireSIGHT (device RMA)?
How to restore the configuration in new FireSIGHT (device RMA)?
FireSIGHT need new license again or not?
Licenses are issues associated with the license key of the management FireSIGHT pole. The key is a combination of the type platform (model) and the MAC address of the server.
So, Yes, you will need more reissued. The case of the TAC which obtained you the RMA can serve as the basis for a request to the team of licensing for the reissue.
-
Failure of GBA 4.2 GANYMEDE + authentic. Incompatibility of keys
I have configured 10 switches(C3750-ADVIPSERVICESK9-M) of layer 2, Version 12.2 (40) SE), use GANYMEDE +. They are all using the same key and work correctly. I went to another switch 3750 located through a point-to-point circuit, software C3750 Cisco (C3750-IPBASEK9-M), Version 12.2 (35) SE5. I entered the configuration routine and then entered the key and tried to connect as a user and get authentication failed. I checked the server and see key discrepancies in the reports and activity, the attempt failed. I've removed the key, copied and pasted from Notepad, still does not work. Removed the switch in the network device group ACS and then re - he added, stuck a new key, without special characters. No go.
Here is the config.
AAA new-model
!
!
AAA of default login authentication group Ganymede + activate
local NO_AAA AAA authentication login
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + authenticated ifGanymede IP source interface FastEthernet0/0
GANYMEDE-server host 10.1.1.1
RADIUS-server key 0 itspassword
RADIUS-server application madeInitially, the password is encrypted, so I changed it to erase the text by typing the password without the 0 and with 0. None worked. Also removed encryption service to see if that would do anything.
I usually have SSH for router, so I changed it to accept telent. That did not work. Changed SSH, reset the rsa keys and modified so that it uses SSH2, which did not work.
Here's what I get from newspapers
August 12 at 11:43:24: TAC +: send worm package AUTHENTIC/START = 192 id = 97563278
August 12 at 11:43:24: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:24: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
August 12 at 11:43:24: TAC +: handle opened TCP/IP 0x3663CA0 to 10.219.1.1/49 using the 10.2.2.254 source
August 12 at 11:43:24: TAC +: 10.1.1.1 (97563278) AUTHENTIC/START/CONNECTION/ASCII queued
August 12 at 11:43:25: TAC +: (97563278) AUTHENTIC/START/CONNECTION/ASCII processed
August 12 at 11:43:25: TAC +: received bad AUTHENTIC package: length = 6, should 80467
August 12 at 11:43:25: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
August 12 at 11:43:25: TAC +: connection TCP/IP closing 0x3663CA0 to 10.1.1.1/49
August 12 at 11:43:25: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:37: TAC +: send worm package AUTHENTIC/START = 192 id = 1015854339
August 12 at 11:43:37: TAC +: using Ganymede server-group "Ganymede +" list by default.
August 12 at 11:43:37: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
August 12 at 11:43:37: TAC +: handle opened TCP/IP 0x366AF24 to 10.1.1.1/49 using the 10.2.2.254 source
August 12 at 11:43:37: TAC +: 10.1.1.1 (1015854339) AUTHENTIC/START/CONNECTION/ASCII queued
August 12 at 11:43:38: TAC +: (1015854339) AUTHENTIC/START/CONNECTION/ASCII processed
August 12 at 11:43:38: TAC +: received bad AUTHENTIC package: length = 6, should 79092
August 12 at 11:43:38: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
August 12 at 11:43:38: TAC +: connection TCP/IP closing 0x366AF24 to 10.1.1.1/49
August 12 at 11:43:38: TAC +: using Ganymede server-group "Ganymede +" list by default.I watched autour forum for about 4 hours, try all other options that were given to other people with a similar problem. The last key, in that I put has 123456. You can not fat finger that is. Switch journal said check the key, the firewall is configured to allow all traffic from the AAA client.
Hi green2003 mg,.
The substitution of key group (the NDG where your switch belongs to) the button. Have you checked that one?
Greetz,
Julia
-
How to configure my Apple Watch for step 2 authentication?
Of this article, it is unclear how to activate my Apple Watch zu receive 2 step authentication codes. There are no settings on my Apple Watch iCloud, so how do I enable authentication step 2 on my Apple Watch?
See this - configure your devices to use authentication to two factors - Apple Support. Note, you need to connect, go to settings to iCloud on each device you want active 2FA.
On the Apple Watch, the only want to disconnect is by disconnecting completely off on the iPhone connected iCloud, and only then can you connect again through the app shows on your iPhone.
Here is another article to help you with the process as well - http://9to5mac.com/2016/03/22/how-to-enable-two-factor-authentication-on-ios-9-a nd-os-x-el-capitan / #comments
Hope that helps!
-
RADIUS and GANYMEDE + authentication
We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.
Can someone give me a pointer?
Thank you
You need to put in place once the authentication on the switch.
AAA authentication login default group local Ganymede
Group AAA dot1x default authentication RADIUS
AAA authorization exec default group Ganymede + authenticated if
Group AAA authorization network default RADIUS
Cisco RADIUS-server host 2.2.2.2 keys
Cisco GANYMEDE-server host 2.2.2.2 keys
The GBA, you must add the switch twice.
ACS---> network configuration---> add aaa-clinet
Host name switch1
IP: 3.3.3.3
With the help of authentic: RADIUS IETF
Add another switch
SWITCH2 host name
IP: 3.3.3.3
With the help of authentic: Ganymede +.
Kind regards
~ JG
Note the useful messages
-
GANYMEDE + authentication on Juniper screen OS using ACS 5.3
GANYMEDE authentication and authorization passed on ACS5.3, but enter username and password security (Juniper SSG5) gives access denied, joined Ganymede cfg.
the value id GANYMEDE + auth-server 1
Set-server GANYMEDE + 10.10.xx.yy server name
put server GANYMEDE +-type of admin account
Set-server GANYMEDE + type Ganymede
Set-server GANYMEDE + secret Ganymede xxxx
the value auth-server GANYMEDE + Ganymede port 49
the admin server GANYMEDE value +.
Set admin auth distance primary
Remote admin auth root set
Set admin privilege get set external auth-server GANYMEDE + id 1
Set-server GANYMEDE + 10.10.xx.yy server name
put server GANYMEDE +-type of admin account
Set-server GANYMEDE + type Ganymede
Set-server GANYMEDE + secret Ganymede xxxx
the value auth-server GANYMEDE + Ganymede port 49
the admin server GANYMEDE value +.
Set admin auth distance primary
Remote admin auth root set
define outer-get administrator privilegesPlease advice
I guess you posted a screenshot. I'm looking forward to having the file can be downloaded for analysis.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Error adding a blocking device (PIX)
Hello!
Thanks for the quick response.
Now, I get the following error when I try to add a blocking for my IDS sensor device:
Error: peripheral Net done errNotFound refers to a configuration of device of shun record that does not exist. Update of the configuration attempt was rejected. [0.3]
No idea why this error?
The sensor knows the firewall IP, username, the enable password and the password for remote access. SSH is enabled on the firewall. I tried to add the firewall as a trusted host, but I get the error:
Error: socket connection failed [4 111]
Any help would be appreciated. Thank you!
Bercy
I guess it's a sensor of version 4.0 or 4.1?
So then the first error "Error: device Net done errNotFound refers to a configuration of device of shun record that does not exist." Update of the configuration attempt was rejected. [0.3]"is easy enough to explain.
The information of user name and password are configured as a "configuration of the device shun' give you it your own name made.
Then when you add in the Pix as a device to manage you adress exactly your configuration of the device previously created "shun" (the name you made up).
Not quite sure what the second mistake is.
I suppose that you run the command:
Configure the terminal
SSH - key host 10.1.1.1
(replacing with your pix address 10.1.1.1)
It will establish a ssh connection to your pix and
display the server's key. You must accept the key if it is correct.
If you do not accept the key NAC won't be able to connect to the Pix using SSH.
NOTE: The Pix may also need to be configured to accept connections from the ssh probe.
-
I finished installing a 11g RAC on RHELv5 using block of EMC for storage devices.
During installation I partitioned the drive and changed ownership in oracle: dba
However, whenever I restart the server, the property features block is returned back to the root and therefore CRS fails to come. So I end up doing a manual change ownership and permission to bring up the CRS, ASM and, finally, the database.
Is it possible, can I automate this?
Thanks in advance.You can configure this in udev permissnion file. In OEL5, it looks like:
[root@rick oracle]# tail -8 /etc/udev/rules.d/50-udev.rules KERNEL=="sdb1", OWNER="root", GROUP="oinstall", MODE="640" KERNEL=="sdc1", OWNER="oracle", GROUP="oinstall", MODE="640" KERNEL=="sdd1", OWNER="oracle", GROUP="dba", MODE="640" KERNEL=="sde1", OWNER="oracle", GROUP="dba", MODE="640" KERNEL=="sdf1", OWNER="oracle", GROUP="dba", MODE="640" KERNEL=="sdg1", OWNER="oracle", GROUP="dba", MODE="640"
-
Push not configurable Message after a device reboot java BB
Hi all
I joined the BlackBerry push notification successfully in my application of the Sub http://supportforums.blackberry.com/t5/BlackBerry-Push-Development/Simplified-BIS-Push-client-sample...url. Here again successfully able to get push until you restart the device notification, after restarting the device I can't able to get push notification.
Note: I put the other entry point, checked the "-autorun at startup" and my main method is as below
if (args != null && args.length > 0 && args[0].equals("autostart")) { // auto start, wait for OS while (ApplicationManager.getApplicationManager().inStartup()) { try { Thread.sleep(10000); } catch (InterruptedException e) { // TODO Auto-generated catch block e.printStackTrace(); } } PushAgent agent = new PushAgent(); agent.register(); agent.enterEventDispatcher(); } else { theApp = new MyApp(); theApp.enterEventDispatcher(); }
Is I used something wrong or I have to put in any other place?
Thanks @gbeukeboom. Finally, I found the solution from this link. http://rincethomas.blogspot.in/2012/07/push-notification-in-BlackBerry.html
-
Backup and managing configurations on ONS 15454 devices
We have a lot of ONS 15454 and CiscoWorks LMS 4 apparently does not support these devices (I can't pick the cards ML1000 configurations or configs of chassis).
Can I save the configurations of the STC cards/chassis using the CTC? I see a backup option of database under maintenance contract, but I'm not entirely of this make. Basically, I want to assure you that if one of these devices suffers a hardware failure, I have backups of the way in which the circuits are provided.
Is there a better tool to use?
Any advice would be great
For nodes to backup through the CTC, the Cisco ONS 15454 procedure Guides describe the steps to be taken to save the nodes (section below the latest version is:)
Cisco Transport Manager is a management system of item available for the largest optical networks and has features to back up the databases of several nodes.
=========
NTP-A108 back up the database
Goal
This procedure saves a backup version of the TCC2/TCC2P (software) database on the workstation running Cisco transport (CTC) controller or a network server.
Tools/equipment
None
Pre-trial proceedings
None
Required / have required
Mandatory. Cisco recommends to perform a backup of database at intervals of about a week and before and after configuration changes.
Onsite / remote
On-site or remotely
Security level
Maintenance or higher
Note You need to back up and restore the database for each node on a path of the circuit in order to maintain a complete circuit.
Note The following settings are not backed up and restored: node name and Internet Inter - ORB Protocol (IIOP) port. If you change the name of the node and restore a backup of a database with a different node name, the circuits map to the new node name. Cisco recommends keeping a record of the old and new node names.
Step 1 Complete the "DLP-A60 Log into CTC" task at the node that you want to back up. If you are already connected, go to step 2.
Step 2 Click it maintenance > Database tabs.
Step 3 Click on backup.
Step 4 Save the database on the hard drive of the workstation or network storage. Use a file name with the extension of .db file. for example, database.db.
Step 5 Click Save.
Step 6 Click OK in the confirmation dialog box.
Stop. You have completed this procedure.
-
Can Cisco 1041N WAP be configured as a standalone device
I'm on a remote site, and we've been futzing with configuration it's WAP site. But it is looking as if it was
intended to be used in conjunction with a central controller. Is it possible to operate it as a stand-alone
device as the old 1200 (miss me a lot lately).
According to the Cisco Software Download Center, you can load independent IOS in the AP 1040.
Products
Wireless
Access point
Cisco Aironet 1040 Series
Cisco Aironet 1040 Series access point
IOS SoftwareFollow the procedure below to convert the CAPWAP AP to standalone IOS.
By using a TFTP server to revert to a previous version
-
The network configured GBA 4.2 device report
I'm trying to shoot the report of all devices in the network configured in ACS. But I'm not able to pull it, can someone let me know how to extract the network devices configured in the device of the ACS.
If I understand the question, you want to export the AAA clients / network devices. You can get the aaa clients/devices information in excel sheet at the bottom of the steps:
Go to network setup > Search > maintains the search that is default parameter to search the entire. Press search. There will be a 'Download' option that will appear in the left corner of the search results. Click on save this list.
This list will include,
-Name
-IP address
-Type
-Name NDG (if applicable)
NOTE: this will not contain customer AAA Shared Secret keys have been configured with.
~ BR
Jatin kone* Does the rate of useful messages *.
-
How can I set up the following scenario. My Pix is separate internal and external network. For outgoing, I will not allow that the associated HTTP traffic. There will be no incoming traffic. For simplicity, I use ver3 PDM to configure my 506th Pix. Should be easy to set up, I thought.
On my access rules, I allowed http and https on the inside and outside interfaces nameserver. Translation rules, I have set up NAT using a real IP on the external interface range. I have not used just in case PAT H323.
However, the configuration above does not work. I can't any http my internal network traffic. What Miss me?
Thanks for your help,
FTM
It would seem that you define the rules that indicate the source AND destination must be the same:
inside_access_in list of access permit udp any eq field any eq field
inside_access_in list access permit udp any eq ntp ntp any eq
inside_access_in list access permit udp any eq name server any eq nameserver
inside_access_in tcp allowed access list any domain eq any eq field
inside_access_in tcp allowed access list all eq www all eq www
inside_access_in list of permitted tcp access any https eq all https eq
You need change that, because the source is probably going to be 1024 or greater. Try something like this:
inside_access_in list of access permit udp any any eq field
inside_access_in list of access permit udp any any eq ntp
inside_access_in list access permit udp any any eq name server
inside_access_in list access permit tcp any any eq field
inside_access_in list access permit tcp any any eq www
inside_access_in tcp allowed access list everything all https eq
inside_access_in access to the interface inside group
Having said that allow any source ip/source port access to any IP destination as long as it is for www, dns, ssl, etc...
Your acl_web access list is not used, because it is not assigned to an interface. Remember that each interface can have only one acl.
Also, you said that you do not PAT...
Global (outside) 1 xxx.xxx.YYY.54 - xxx.xxx.YYY.55 netmask 255.255.255.0
Global 1 xxx.xxx.YYY.53 (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
This tells the firewall to use the range xxx.xxx.YYY.54 - xxx.xxx.YYY.55 for the assignment of an address, but when he runs, start PAT'ng with xxx.xxx.YYY.53...
hope this helps
Maybe you are looking for
-
Since the update of this morning of firefox it does not display my Bt toolbar that it won't show my yahoo toolbar that I lost 3 hours trying to solve this problem please help me I am at my wits end...
-
What Version of the utility Airport do I need?
I have 2 Apple Airport Extreme Base Stations. On my old Dell Dimension 9200 running XP Professional Service Pack 3, I use Version 5.5.3 of Airport utility. Now, I want to download Airport utility for my new Dell Precision Tower 5810 running Windows 8
-
Why the HTTP become function returns the error code 63?
I tried to use the get HTTP function to get the XML file is returned by the api Google MAPS distance-matrix. I got the right answer if I insert the url directly in the browser, but using the get HTTP function, it returns the error 63, why? This is my
-
Cannot install update for Windows XP (KB2686509) security.
I can install others but this one. I ran Microsoft Fix It, without success, any help is appreciated.
-
Error - Generic Host Process for Win32 services
Error - Generic Host Process for Win32 services. How can I get rid of him?