PIX, PDM and AAA issues
I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.
I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.
The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").
Here's a current configuration:
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5
Console telnet authentication GANYMEDE AAA +.
the AAA console ssh GANYMEDE authentication +.
AAA authentication GANYMEDE serial console +.
AAA authentication enable console GANYMEDE +.
Console AAA authentication http GANYMEDE +.
order of AAA for authorization GANYMEDE +.
Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?
Let me know if you need more info. Thank you!
Hello
Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.
Scott
Tags: Cisco Security
Similar Questions
-
Hello
On a PIX 515E v.6.3.5.
There are three lists ACL that can come into play when setting up an IPSec VPN on a PIX? (I hear a sound of 'It depends')
1 Nat (0) ACL - NOT NAT traffic, it is part of the IPSec VPN
2 crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3 ACL - ACL to allow | deny traffic after ACL #1 and #2.
#3 "Allow packet IPSec to bypass the blocking of access list" If the "ipsec sysopt connection permit" command is configured and ONLY for the #3 ACL? In other words the sysopt does not participate on ACL #1 or 2 above?
The mirroring of the ACL, which is suggested (required) to both sides of the tunnel IPSec applies to what ACL?
Thank you
Dan
pdvcisco wrote:
Hello,
On a PIX 515E v.6.3.5.
Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
1. Nat (0) ACL - to NOT nat traffic this is part of the IPSec VPN
2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
Thanks,
Dan
Dan
It depends on
(1) is not always used, because with a site to site VPN sometimes you need to NAT your addressing internal
(2) always necessary
(3) if the "ipsec sysopt connection permit" is set up any ACLs on the interface where the VPN is finished is bypassed. If it is not enabled then once packets are decrypted they are then checked against the acl.
Mirrored ACLs is required.
Jon
-
VPN IPSec L2L between IOS and PIX 6.3 - MTU issue?
The side of the remote control (customer) is behind the 6.3 (5) PIX. And the side of the head end (server) is 2911 IOS on 15.0.
The IPSec tunnel rises very well and passes traffic. However, there is a server which are not fully accessible. Note, it is mainly the web traffic.
Client initiates a connection to the http://server:8000. They receive a redirect to go to http://server:8000 / somepage.jspa. Package caps show the customer acknowledges the redirect with a SYN - ACK response, but then the connection just hangs. And no other packets are received in return. I noticed that the redirected page is a .jsp and other pages that work OK are not. I also noticed that some MTU and TCP MSS configurations on the side of the head that are in place for another GRE VPN tunnel with another site. So I got in the way of the fragmentation of packets. The side PIX has all the standard configurations of IPSec as well as default MTU on the interface of the inside and outside.
When the MTU is set manually on the client computer to 1400, the access to the works of http://server:8000 / somepage.jspa very well. So I need to tweak the settings of PIX. I tried to adjust the MTU size on and abroad the interface as well as the parameter "sysopt connection tcp - mss. I don't know what else to do here.
Here is a summary of the MTU settings on the head of line:
End of the head:
int tunnel0 (it's the GRE tunnel)
IP mtu 1420
source of tunnel G0/0
dest X.X.X.X
tunnel path-mtu-discovery
card crypto vpn 1
tunnel GRE Description
blah blah blah
card crypto vpn 2
Description IPSec tunnel
blah blah blah
int g0/0 (external interface)
no ip redirection
no ip unreachable
no ip proxy-arp
Check IP unicast reverse
NAT outside IP
IP virtual-reassembly
vpn crypto card
int g0/1 (this is the interface to the server in question)
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
HA, sorry my bad. Read the previous post wrong.
(Note: Yes, the SMS on the tunnel interface should be 40 bytes less than MTU).
Do not twist the MTU, not for TCP problems (not as the first step), it is safer to play with the MSS. MTU may depend on other things (OSPF for example).
Make a sweep of a ping with DF bit set with the size (from 1300 bytes for example). By doing this, you want to check what is the maximum size of the package, which you can test through the IPsec tunnel. Once you have this value consider - subtract 40 and this defined as value MSS of the LAN interface (and adjust the value of PIX if you can).
M.
-
in PIX with SSH connection issues
Hello
I have a PIX 506 running OS 6.2 (2) which is located in a demilitarized zone known as the PIX from the outside. It's behind an another PIX506 (PIX inside). The two PIX have Ganymede + configured for authentication of the connection.
Last week the outdoor PIX crushed physically and I replaced it with a spare PIX part and he completely reconfigured.
Now I can't connect to this outside PIX using SSH, despite the list of access inside PIX is correct and can SSH and Ganymede +. However, I can telnet to it.
I use Putty to connect and when I start the session SSH from the PIX, the login window appears and disappears immediately without having the time to do anything myself.
Any help would be greatly appreciated. Thanks in advance.
A.G.
##################################################
Inside PIX config:
access-list inside allow TCP Company-Interior-Net 255.255.255.0 host outsidepix-Interior-interface eq ssh
list Company-Interior-Net 255.255.255.0 access inside permit tcp host eq telnet interface-inside-outsidepix
access-list inside allow the ICMP messages to echo DMZNet 255.255.255.192 Company-Interior-Net 255.255.255.0
access-list inside allow Company-Interior-Net icmp 255.255.255.0 DMZNet 255.255.255.192 - response to echo
dmzacl list of access allowed icmp echo host outsidepix-Interior-interface company-Interior-Net 255.255.255.0
dmzacl list of access allowed icmp host outsidepix-Interior-interface company-Interior-Net 255.255.255.0 - response to echo
access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server1 eq Ganymede
access-list permits dmzacl tcp host outsidepix-Interior-interface host Ganymede-server2 eq Ganymede
The outdoor PIX config:
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host Ganymede-server1 1234 timeout 10
AAA-server GANYMEDE + (inside) host Ganymede-server2 1234 timeout 10
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Console telnet authentication GANYMEDE AAA +.
the AAA console ssh GANYMEDE authentication +.
AAA authentication enable console GANYMEDE +.
Telnet Company-Interior-Net 255.255.255.0 inside
Telnet timeout 5
SSH-company-Interior-Net 255.255.255.0 inside
SSH DMZNet 255.255.255.192 inside
SSH timeout 5
did you follow the steps to configure ssh? the domain name and host name is defined on it? CA has generated you any rsa... to create the encryption keys?
-
Missing documents for Pix V7 and ASDM V5
Just upgraded one of my Pix to V7.
Now I'm looking for the "Cisco Pix Firewall and VPN Configuration Guide" and "the Cisco PIX Firewall command reference" for version 7, but I couldn't find them on the cisco site.
Any idea where I could find them?
Maybe I need to use the ASA guides instead?
And I was unable to find documentation on how to install ASDM... When I upgraded to 6.3 I've had trouble finding the PDM 3.0 installation guide...
All the tracks would contribute to
right side
Old Site Technology-Documentation
Network security
Select "Cisco Secure PIX Firewall.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/index.htm
-
Original title: I can't send email Outlook Express (sudden problem). It is a new and sudden issue.
I use Outlook Express 6 and make this message. An unknown error has occurred. "Account: 'XTRA', server: 'smtp.xtra.co.nz', Protocol: SMTP, server response: ' 421 mta01.xtra.co.nz connection refused [222.155.136.138] ', Port: 25, secure (SSL): no, Server error: 421, error number: 0x800CCC67.
Continues to receive e-mails.
Hello
Have you made changes on the computer before this problem?
The following article might be useful.
Troubleshooting error messages that you receive when you try to send and receive e-mail in Outlook and Outlook Express
http://support.Microsoft.com/kb/813514 -
My Windows 7 Pro system has some serious hardware, internet connection and security issues.
My efforts to remedy by restoring a system image backup failed. At this point, I'm ready for a new clean install if I have to buy a drive to do. My question is whether a professional Ultimate upgrade will or will not fix these bugs. In addition, what is the cause of restoring the system to fail? I never turned off or cannot create regular restore points.
Original title: upgrade a "Fix" for existing system problems?
My Windows 7 Pro system has some serious hardware, internet connection and security issues.
My efforts to remedy by restoring a system image backup failed. At this point, I'm ready for a new clean install if I have to buy a drive to do. My question is if an upgrade to Professional Ultimate will be or not correct not these bugs. Also, what is the cause System Restore to fail? I never turned off or cannot create regular restore points.
Hello
1 re-installing/repairing software will not fix hardware issues.
2. the operating system upgrade is not the way to solve computer problems that can be carried forward.
3 1. If you use Norton, you should disable Norton inviolable Protection before using System Restore.
http://Service1.Symantec.com/support/sharedtech.nsf/pfdocs/2005113009323013
AVG will cause problems with SR too.
«Temporarily disable AVG»
http://www.Avg.com/ww-en/FAQ.Num-3857
2. try to use Safe Mode system restore.
http://Windows.Microsoft.com/en-us/Windows7/products/features/system-restore
"Start your computer in safe mode.
3 Malware will stop at the system restore.
Download, install, update and scan your system with the free version of Malwarebytes AntiMalware:
http://www.Malwarebytes.org/products/malwarebytes_free
____________________________________
We really need for more details:
"My Windows 7 Pro system has some serious hardware, internet connection and security issues.
See you soon.
-
I want to confirm that the update of Adobe Reader 10.1.15 is legitimate. This update apparently fixes security vulnerabilities and customer issues.
Hi Jeremiah,.
Yes, the Player update 10.1.15 is legitimate.
In fact, we released the latest patch 10.1.16 October 13.
You can download the same: Adobe - Acrobat: for Windows
For immediate release notes please reference: https://helpx.adobe.com/acrobat/release-note/release-notes-acrobat-reader.html
Kind regards
Rave -
PIX ACL user downloadable issues
Recently, I opened a TAC case on an issue that I had with user downloadable ACLs on a radius server. I use the user acl on an intranet pix firewall that protects some servers. We have programmers who need special access for them and tried to have the ACL of assigned dynamically. It turns out that TAC said even if I had the correct ACL and they were applied to the user, I must have the same ACL allowing traffic on the interface which runs incoming traffic. There is no sense to me due to the fact that my goal was to get rid of permanent acl and not have to worry about the use of IP source addresses. I could have just the connection of the user through http and it gets the acl. Then finally the active uauth timer and removes the ACL so do not leave a hole on the PIX. I totally miss the downloadable ACLs goal, so if someone could shed some light on the subject I would appreciate it :) I have that someone has a solution or another solution to the problem that I have please do not hesitate to post! Thanks advance!
Tony
For authentication and ACL downloadable works, you need two ACLs on the PIX, the ACL interface and authentication ACL. You can consider the ACL interface as a trigger for the ACL authentication should it allow traffic through to trigger authentication. It must also allow the same traffic that the auth acl which means it is sometimes easier to make more restrictive the more permissive acl interface and the auth acl.
for example if you have users on 192.168.1.0 24 inside interface and you want to authenticate you to access Terminal Server services, you can if you want to configure the inside access list to allow all traffic to 192.168.1.0/24
! inside the 192.168.1.0 auth trigger
permit 192.168.1.0 ip access list inside_access_in 255.255.255.0 any
but deny all in the acl of authentication, which means that all traffic required authentication/authorization first.
! authentication for 192.168.1.0
! don't authenticate DNS and ICMP
inside_authentication list access deny udp 192.168.1.0 255.255.255.0 any eq 53
inside_authentication list access deny icmp 192.168.1.0 255.255.255.0 any
! authenticate everything.
permit 192.168.1.0 ip access list inside_authentication 255.255.255.0
! apply access lists
inside_access_in access to the interface inside group
AAA game inside_authentication inside RADIUS authentication
Your ACL ACS/RADIUS would be configured to
! term serv
permit tcp 192.168.1.0 255.255.255.0 any eq 3389
! http
permit tcp 192.168.1.0 255.255.255.0 any eq 80
That would provide the term serv and http access to an authenticated user. Your logs show permission denied for all other access to this user after authentication.
I hope this helps.
-
PIX 515 and software version 6.3 (4)
We have a PIX 515 (not 515E). Currently, we are running software version 6.2 (2). I was wondering if we can improve the software to version 6.3 (3) or 6.3 (4), or do we need to replace the hardware with PIX 515E?
Also what should I do on my current PDM version 2.0 (2) if it is possible to upgrade the PIX to a 6.3 version?
Thank you.
You can run on the Pix515 6.34. It takes at least 16 MB of flash and 32 MB of RAM.
If you use PDM, you will need to be updated also.
Josh
-
PIX 6.3, aaa accounting
Hello
I'm trying to understand how the following command:
"accounting aaa include tcp/0 inside 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 GANYMEDE +".
(1.1.1.1 is a former host, 2.2.2.2 is the PIX)
I think I get 'include' (create a new rule) & "tcp/0"(the rule specifies all tcp ports).
But 1.1.1.1 (including pix 6.3 ios doc called local_ip-"host or network of hosts that you want to be authenticated or authorized")-I think it would be customers. Is this fair?
And 2.2.2.2 (called foreign_ip) is not clear at all - the doc called this foreign_ip - "hosts you want to access the address local_ip. As I have defined 2.2.2.2 as the PIX, it seems to the PIX to access customers. Yet if I flip the IP addresses, I get the PIX box I want to have authenticated, that does not seem fair...
I am missing probably completely what circumstances this would be used for. On my network, to present all we use AAA for UAL telnet is in features and commands that are run on the devices, but I know that AAA is also used to allow users access to various things...
(doc, that I'm looking is http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1073208)
TIA - Linnea
You guessed it!
-
PIX 515E and remote access VPN
I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.
I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.
Any help is appreciated,
Hello
Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7
Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18
There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue
-
2600 router: faced with setting up the accounts user and AAA
I use SDM to configure easy VPN connection and being a newbie I'm fighting with AAA and the creation of the necessary user account. The SDM Assistant said I must have active AAA and a user account. I found this doc from Cisco using google:
http://www.Cisco.com/en/us/docs/iOS/12_2/security/configuration/guide/scfathen.html#wp1000971
and following the instructions, I entered these commands in the cli:
Router (config) #aaa new-model
Router (config) #aaa authentication login default local
but my normal connection and the user name and password do not work in the CLI as soon as I did it. I have the router powerdown and restart it to retrieve the control.
To be honest, I found things really hard Cisco instructions, I don't understand method-list RADIUS Kerberos GANYMEDE stuff so I was wondering if there was simple instructions there to set up the user account necessary to go forward with the vpn Wizard easy in SDM.
Thanks for the pointers.
Hello Anthony,.
Once you enable the aaa new-model, all applied to the invalid lines previous authentication mechanisms. That's why you should do one of the following values
Do not issue 'aaa authentication login default local' or if you are forced by SDM, or create a username for yourself with high private, because this command will effect console or VTY lines that their authentication is left by default and require the username and password each time you connect, or you can create a list that has 'no' as a method and apply to the console line to ignore the console authentication.
username anthony priv 15 password xxxx
Once you enter a username as shown above, you can connect via the console with this username and pass if "aaa authentication login default local" is issued.
RADIUS and Ganymede methods are servers that has the ability to contain the names of users with more advanced configurations. For simple authentication, you can use local authentication, this is why you should not mess with Radius or Ganymede at the moment.
Concerning
-
MM, pix 515 and mac filtering
I have an application called MeetingMaker, located at the back of my pix 515 that is used off site by 5 users. Since accessing this program on the internet, and users can have dynamic addresses, it is possible to filter by mac address somehow to allow access through the firewall to the app? Thank you.
MAC addresses not browse the limits of layer 3. In others, your MAC address of clients cannot be seen or known once the traffic passes through the default router for that subnet. So the answer to your question is 'no '.
You can use AAA to handle this. How your clients connect to the server? (port/application)? If its HTTP/S, the Pix can check this name of user and password before allowing access. If it is a part on request/port, you can still use authentication by requiring them to connect to the web server out there first. This will cause the Pix to authenticate by using the challenge of browser, and the Pix can be configured to allow connections to the hosts authentiated.
-
PIX 515E and Telnet to port 25
When I telnet (in or out) on a mail server (using port 25) the answer is:
220-*******************
and all orders come back as "invalid command."
When I put the old (no - pix) firewall, this does not happen (the responses are complete and commands work fine.)
A lot of email is coming and going, but some mail servers cannot send email.
This is common for misconfiguration and where should I look?
Thank you
Mark
Delete the fixup protocol smtp 25!
command to run:
No fixup not protocol smtp
Details about this:
The order fixup protocol smtp active the function of guard of mail, which allows only mail servers receive the RFC 821, section 4.5.1 of the orders of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into x which are refused by the internal server. The result is a message such as "500 unknown command: 'XXX'.» Incomplete orders are ignored.
Note during a SMTP session interactive, different SMTP security rules may reject or hang with your Telnet session. These rules include the following: SMTP commands must be at least four characters; must end with the return cart and jump; of line and must wait for a response before issuing the next reply.
From PIX Firewall software Version 5.1 and higher, the fixup protocol smtp command changes the characters of the SMTP banner asterisks except for the "2", "0", "0" characters. Return (CR) and linefeed (LF) characters are ignored.
PIX Firewall software Version 4.4, all the characters in the SMTP banner are converted to asterisks.
Reference:
sincerely
Patrick
Maybe you are looking for
-
SatellitenA100-220 - where can I find the dirvers wireless?
Hello. Where can I find drivers for Toshiba Satellite A100-220 wireless? I have found that the atheros utility, not riders too. I need for Windows XP.
-
I was wondering. When this hard drive goes down and after I do system back up Will I need to buy a new operations * windows platform or I'll be able to download my old version so I can use the new hard disk?
-
Onlly Bluetooth hotsync working first time
I had a hotsynce bluetooth to work on my Vista Premium 64 computer. I was delighted. But now, whenever I try to hotsync, after a bit, a message appears on the E2 Tungston "Cannot start the HotSync operation because the port is currently in use by an
-
X 220 with USB3.0, not possible mSata SSD?
Hello Board, We have a few i7 based X 220 Notebooks here, equipped with built-in USB3.0 controller. While we have upgraded successfully variants smaller x 220 with mSATA SSDS from Intel, they are not recognized in i7 Configurations. We tried it with