PIX, PDM and AAA issues

I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.

I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.

The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").

Here's a current configuration:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5

Console telnet authentication GANYMEDE AAA +.

the AAA console ssh GANYMEDE authentication +.

AAA authentication GANYMEDE serial console +.

AAA authentication enable console GANYMEDE +.

Console AAA authentication http GANYMEDE +.

order of AAA for authorization GANYMEDE +.

Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?

Let me know if you need more info. Thank you!

Hello

Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.

Scott

Tags: Cisco Security

Similar Questions

  • PIX IPSec and ACL issues

    Hello

    On a PIX 515E v.6.3.5.

    There are three lists ACL that can come into play when setting up an IPSec VPN on a PIX? (I hear a sound of 'It depends')

    1 Nat (0) ACL - NOT NAT traffic, it is part of the IPSec VPN

    2 crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

    3 ACL - ACL to allow | deny traffic after ACL #1 and #2.

    #3 "Allow packet IPSec to bypass the blocking of access list" If the "ipsec sysopt connection permit" command is configured and ONLY for the #3 ACL? In other words the sysopt does not participate on ACL #1 or 2 above?

    The mirroring of the ACL, which is suggested (required) to both sides of the tunnel IPSec applies to what ACL?

    Thank you

    Dan

    pdvcisco wrote:
    

    Hello,
    

    On a PIX 515E v.6.3.5.
    

    Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
    

    1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN
    

    2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
    

    3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
    

    Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
    

    The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
    

    Thanks,
    

    Dan

    Dan

    It depends on

    (1) is not always used, because with a site to site VPN sometimes you need to NAT your addressing internal

    (2) always necessary

    (3) if the "ipsec sysopt connection permit" is set up any ACLs on the interface where the VPN is finished is bypassed. If it is not enabled then once packets are decrypted they are then checked against the acl.

    Mirrored ACLs is required.

    Jon

  • VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?

    The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.

    The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.

    Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.

    When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.

    Here is a summary of the MTU settings on the head of line:

    End of the head:

    int tunnel0 (it's the GRE tunnel)

    IP mtu 1420

    source of tunnel G0/0

    dest X.X.X.X

    tunnel path-mtu-discovery

    card crypto vpn 1

    tunnel GRE Description

    blah blah blah

    card crypto vpn 2

    Description IPSec tunnel

    blah blah blah

    int g0/0 (external interface)

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    Check IP unicast reverse

    NAT outside IP

    IP virtual-reassembly

    vpn crypto card

    int g0/1 (this is the interface to the server in question)

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    IP nat inside

    IP virtual-reassembly

    IP tcp adjust-mss 1452

    HA, sorry my bad. Read the previous post wrong.

    (Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).

    Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).

    Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).

    M.

  • in PIX with SSH connection issues

    Hello

    I have a PIX 506 running OS 6.2 (2) which is located in a demilitarized zone known as the PIX from the outside. It's behind an another PIX506 (PIX inside). The two PIX have Ganymede + configured for authentication of the connection.

    Last week the outdoor PIX crushed physically and I replaced it with a spare PIX part and he completely reconfigured.

    Now I can't connect to this outside PIX using SSH, despite the list of access inside PIX is correct and can SSH and Ganymede +. However, I can telnet to it.

    I use Putty to connect and when I start the session SSH from the PIX, the login window appears and disappears immediately without having the time to do anything myself.

    Any help would be greatly appreciated. Thanks in advance.

    A.G.

    ##################################################

    Inside PIX config:

    access-list inside allow TCP Company-Interior-Net 255.255.255.0 host outsidepix-Interior-interface eq ssh

    list Company-Interior-Net 255.255.255.0 access inside permit tcp host eq telnet interface-inside-outsidepix

    access-list inside allow the ICMP messages to echo DMZNet 255.255.255.192 Company-Interior-Net 255.255.255.0

    access-list inside allow Company-Interior-Net icmp 255.255.255.0 DMZNet 255.255.255.192 - response to echo

    dmzacl list of access allowed icmp echo host outsidepix-Interior-interface company-Interior-Net 255.255.255.0

    dmzacl list of access allowed icmp host outsidepix-Interior-interface company-Interior-Net 255.255.255.0 - response to echo

    access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server1 eq Ganymede

    access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server2 eq Ganymede

    The outdoor PIX config:

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + (inside) host Ganymede-server1 1234 timeout 10

    AAA-server GANYMEDE + (inside) host Ganymede-server2 1234 timeout 10

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    Console telnet authentication GANYMEDE AAA +.

    the AAA console ssh GANYMEDE authentication +.

    AAA authentication enable console GANYMEDE +.

    Telnet Company-Interior-Net 255.255.255.0 inside

    Telnet timeout 5

    SSH-company-Interior-Net 255.255.255.0 inside

    SSH DMZNet 255.255.255.192 inside

    SSH timeout 5

    did you follow the steps to configure ssh? the domain name and host name is defined on it? CA has generated you any rsa... to create the encryption keys?

  • Missing documents for Pix V7 and ASDM V5

    Just upgraded one of my Pix to V7.

    Now I'm looking for the "Cisco Pix Firewall and VPN Configuration Guide" and "the Cisco PIX Firewall command reference" for version 7, but I couldn't find them on the cisco site.

    Any idea where I could find them?

    Maybe I need to use the ASA guides instead?

    And I was unable to find documentation on how to install ASDM... When I upgraded to 6.3 I've had trouble finding the PDM 3.0 installation guide...

    All the tracks would contribute to

    www.Cisco.com

    right side

    Old Site Technology-Documentation

    Network security

    Select "Cisco Secure PIX Firewall.

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/index.htm

  • I can't send email Outlook Express (sudden problem). It is a new and sudden issue. Error number: 0x800CCC67

    Original title: I can't send email Outlook Express (sudden problem). It is a new and sudden issue.

    I use Outlook Express 6 and make this message. An unknown error has occurred. "Account: 'XTRA', server: 'smtp.xtra.co.nz', Protocol: SMTP, server response: ' 421 mta01.xtra.co.nz connection refused [222.155.136.138] ', Port: 25, secure (SSL): no, Server error: 421, error number: 0x800CCC67.

    Continues to receive e-mails.

    Hello

    Have you made changes on the computer before this problem?

    The following article might be useful.

    Troubleshooting error messages that you receive when you try to send and receive e-mail in Outlook and Outlook Express
    http://support.Microsoft.com/kb/813514

  • My Windows 7 Pro system has some serious hardware, internet connection and security issues. The system image and restore the system in case of failure.

    My Windows 7 Pro system has some serious hardware, internet connection and security issues.

    My efforts to remedy by restoring a system image backup failed.  At this point, I'm ready for a new clean install if I have to buy a drive to do.  My question is whether a professional Ultimate upgrade will or will not fix these bugs.  In addition, what is the cause of restoring the system to fail?  I never turned off or cannot create regular restore points.

    Original title: upgrade a "Fix" for existing system problems?

    My Windows 7 Pro system has some serious hardware, internet connection and security issues.

    My efforts to remedy by restoring a system image backup failed.  At this point, I'm ready for a new clean install if I have to buy a drive to do.  My question is if an upgrade to Professional Ultimate will be or not correct not these bugs.  Also, what is the cause System Restore to fail?  I never turned off or cannot create regular restore points.

    Hello

    1 re-installing/repairing software will not fix hardware issues.

    2. the operating system upgrade is not the way to solve computer problems that can be carried forward.

    3 1. If you use Norton, you should disable Norton inviolable Protection before using System Restore.

    http://Service1.Symantec.com/support/sharedtech.nsf/pfdocs/2005113009323013

    AVG will cause problems with SR too.

    «Temporarily disable AVG»

    http://www.Avg.com/ww-en/FAQ.Num-3857

    2. try to use Safe Mode system restore.

    http://Windows.Microsoft.com/en-us/Windows7/products/features/system-restore

    "Start your computer in safe mode.

    http://Windows.Microsoft.com/en-us/Windows/Start-computer-safe-mode#start-computer-safe-mode=Windows-7

    3 Malware will stop at the system restore.

    Download, install, update and scan your system with the free version of Malwarebytes AntiMalware:

    http://www.Malwarebytes.org/products/malwarebytes_free

    ____________________________________

    We really need for more details:

    "My Windows 7 Pro system has some serious hardware, internet connection and security issues.

    See you soon.

  • I want to confirm that the update of Adobe Reader 10.1.15 is legitimate.  This update apparently fixes security vulnerabilities and customer issues.

    I want to confirm that the update of Adobe Reader 10.1.15 is legitimate.  This update apparently fixes security vulnerabilities and customer issues.

    Hi Jeremiah,.

    Yes, the Player update 10.1.15 is legitimate.

    In fact, we released the latest patch 10.1.16 October 13.

    You can download the same: Adobe - Acrobat: for Windows

    For immediate release notes please reference: https://helpx.adobe.com/acrobat/release-note/release-notes-acrobat-reader.html

    Kind regards
    Rave

  • PIX ACL user downloadable issues

    Recently, I opened a TAC case on an issue that I had with user downloadable ACLs on a radius server. I use the user acl on an intranet pix firewall that protects some servers. We have programmers who need special access for them and tried to have the ACL of assigned dynamically. It turns out that TAC said even if I had the correct ACL and they were applied to the user, I must have the same ACL allowing traffic on the interface which runs incoming traffic. There is no sense to me due to the fact that my goal was to get rid of permanent acl and not have to worry about the use of IP source addresses. I could have just the connection of the user through http and it gets the acl. Then finally the active uauth timer and removes the ACL so do not leave a hole on the PIX. I totally miss the downloadable ACLs goal, so if someone could shed some light on the subject I would appreciate it :) I have that someone has a solution or another solution to the problem that I have please do not hesitate to post! Thanks advance!

    Tony

    For authentication and ACL downloadable works, you need two ACLs on the PIX, the ACL interface and authentication ACL. You can consider the ACL interface as a trigger for the ACL authentication should it allow traffic through to trigger authentication. It must also allow the same traffic that the auth acl which means it is sometimes easier to make more restrictive the more permissive acl interface and the auth acl.

    for example if you have users on 192.168.1.0 24 inside interface and you want to authenticate you to access Terminal Server services, you can if you want to configure the inside access list to allow all traffic to 192.168.1.0/24

    ! inside the 192.168.1.0 auth trigger

    permit 192.168.1.0 ip access list inside_access_in 255.255.255.0 any

    but deny all in the acl of authentication, which means that all traffic required authentication/authorization first.

    ! authentication for 192.168.1.0

    ! don't authenticate DNS and ICMP

    inside_authentication list access deny udp 192.168.1.0 255.255.255.0 any eq 53

    inside_authentication list access deny icmp 192.168.1.0 255.255.255.0 any

    ! authenticate everything.

    permit 192.168.1.0 ip access list inside_authentication 255.255.255.0

    ! apply access lists

    inside_access_in access to the interface inside group

    AAA game inside_authentication inside RADIUS authentication

    Your ACL ACS/RADIUS would be configured to

    ! term serv

    permit tcp 192.168.1.0 255.255.255.0 any eq 3389

    ! http

    permit tcp 192.168.1.0 255.255.255.0 any eq 80

    That would provide the term serv and http access to an authenticated user. Your logs show permission denied for all other access to this user after authentication.

    I hope this helps.

  • PIX 515 and software version 6.3 (4)

    We have a PIX 515 (not 515E). Currently, we are running software version 6.2 (2). I was wondering if we can improve the software to version 6.3 (3) or 6.3 (4), or do we need to replace the hardware with PIX 515E?

    Also what should I do on my current PDM version 2.0 (2) if it is possible to upgrade the PIX to a 6.3 version?

    Thank you.

    You can run on the Pix515 6.34. It takes at least 16 MB of flash and 32 MB of RAM.

    If you use PDM, you will need to be updated also.

    Josh

  • PIX 6.3, aaa accounting

    Hello

    I'm trying to understand how the following command:

    "accounting aaa include tcp/0 inside 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 GANYMEDE +".

    (1.1.1.1 is a former host, 2.2.2.2 is the PIX)

    I think I get 'include' (create a new rule) & "tcp/0"(the rule specifies all tcp ports).

    But 1.1.1.1 (including pix 6.3 ios doc called local_ip-"host or network of hosts that you want to be authenticated or authorized")-I think it would be customers. Is this fair?

    And 2.2.2.2 (called foreign_ip) is not clear at all - the doc called this foreign_ip - "hosts you want to access the address local_ip. As I have defined 2.2.2.2 as the PIX, it seems to the PIX to access customers. Yet if I flip the IP addresses, I get the PIX box I want to have authenticated, that does not seem fair...

    I am missing probably completely what circumstances this would be used for. On my network, to present all we use AAA for UAL telnet is in features and commands that are run on the devices, but I know that AAA is also used to allow users access to various things...

    (doc, that I'm looking is http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1073208)

    TIA - Linnea

    You guessed it!

  • PIX 515E and remote access VPN

    I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

    I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

    Any help is appreciated,

    Hello

    Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

    Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

    There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

  • 2600 router: faced with setting up the accounts user and AAA

    I use SDM to configure easy VPN connection and being a newbie I'm fighting with AAA and the creation of the necessary user account. The SDM Assistant said I must have active AAA and a user account. I found this doc from Cisco using google:

    http://www.Cisco.com/en/us/docs/iOS/12_2/security/configuration/guide/scfathen.html#wp1000971

    and following the instructions, I entered these commands in the cli:

    Router (config) #aaa new-model

    Router (config) #aaa authentication login default local

    but my normal connection and the user name and password do not work in the CLI as soon as I did it. I have the router powerdown and restart it to retrieve the control.

    To be honest, I found things really hard Cisco instructions, I don't understand method-list RADIUS Kerberos GANYMEDE stuff so I was wondering if there was simple instructions there to set up the user account necessary to go forward with the vpn Wizard easy in SDM.

    Thanks for the pointers.

    Hello Anthony,.

    Once you enable the aaa new-model, all applied to the invalid lines previous authentication mechanisms. That's why you should do one of the following values

    Do not issue 'aaa authentication login default local' or if you are forced by SDM, or create a username for yourself with high private, because this command will effect console or VTY lines that their authentication is left by default and require the username and password each time you connect, or you can create a list that has 'no' as a method and apply to the console line to ignore the console authentication.

    username anthony priv 15 password xxxx

    Once you enter a username as shown above, you can connect via the console with this username and pass if "aaa authentication login default local" is issued.

    RADIUS and Ganymede methods are servers that has the ability to contain the names of users with more advanced configurations. For simple authentication, you can use local authentication, this is why you should not mess with Radius or Ganymede at the moment.

    Concerning

  • MM, pix 515 and mac filtering

    I have an application called MeetingMaker, located at the back of my pix 515 that is used off site by 5 users. Since accessing this program on the internet, and users can have dynamic addresses, it is possible to filter by mac address somehow to allow access through the firewall to the app? Thank you.

    MAC addresses not browse the limits of layer 3. In others, your MAC address of clients cannot be seen or known once the traffic passes through the default router for that subnet. So the answer to your question is 'no '.

    You can use AAA to handle this. How your clients connect to the server? (port/application)? If its HTTP/S, the Pix can check this name of user and password before allowing access. If it is a part on request/port, you can still use authentication by requiring them to connect to the web server out there first. This will cause the Pix to authenticate by using the challenge of browser, and the Pix can be configured to allow connections to the hosts authentiated.

  • PIX 515E and Telnet to port 25

    When I telnet (in or out) on a mail server (using port 25) the answer is:

    220-*******************

    and all orders come back as "invalid command."

    When I put the old (no - pix) firewall, this does not happen (the responses are complete and commands work fine.)

    A lot of email is coming and going, but some mail servers cannot send email.

    This is common for misconfiguration and where should I look?

    Thank you

    Mark

    Delete the fixup protocol smtp 25!

    command to run:

    No fixup not protocol smtp

    Details about this:

    The order fixup protocol smtp active the function of guard of mail, which allows only mail servers receive the RFC 821, section 4.5.1 of the orders of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into x which are refused by the internal server. The result is a message such as "500 unknown command: 'XXX'.» Incomplete orders are ignored.

    Note during a SMTP session interactive, different SMTP security rules may reject or hang with your Telnet session. These rules include the following: SMTP commands must be at least four characters; must end with the return cart and jump; of line and must wait for a response before issuing the next reply.

    From PIX Firewall software Version 5.1 and higher, the fixup protocol smtp command changes the characters of the SMTP banner asterisks except for the "2", "0", "0" characters. Return (CR) and linefeed (LF) characters are ignored.

    PIX Firewall software Version 4.4, all the characters in the SMTP banner are converted to asterisks.

    Reference:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

    sincerely

    Patrick

Maybe you are looking for