Sourcefire - module behind a nat

How to configure the module and how it the module is located behind a nat device? That means be id nat?

Let's say the remote SFR module is 192.168.1.1 and the public ip address is 1.1.1.1. The management center of SFR is 10.10.10.10 and appears as 2.2.2.2 on the internet.

The nat id is just a value randomly selected and used on both sides?

What is the configuration for the sourcefire module, configure the Manager add 2.2.2.2 Council nat - id 50000?

What the MC LICO, 1.1.1.1 Council nat - id 50000?

The manual of 5.4 in Chapter 4 article 8 (page 128) icover this topic, but I don't think that does it pretty well.

Thank you

Rich

Hello

Yes you are right. It should work. If the nat works correctly, you should be able to register the sensor with DC.

Let me know if you get a specific error?

Kind regards

Aastha Bhardwaj

Rate if this is useful!

Tags: Cisco Security

Similar Questions

  • Upgrade to version 6.0 SourceFire Module questions

    We have just implemented SourceFire Module version 5.4.1 on our ASA recently, but want to upgrade to version 6.0. I've been through Notes version 6.0 for the upgrade, which are dated to November 2015, but had a few questions that I was hoping someone here could answer:

    -Our FireSIGHT Management Center is a virtual appliance of 64-bit. Can we install version 6.0 on a virtual appliance VMWare running on EXSi 6.0? The only issue date list 5.1 and 5.5 ESXi ESXi.

    -Should what files I use for the update? The Release Notes say to use "SourceFire_3d_Defense_Center_S3_upgrade - 6.0.0 - 1005.sh. My choice on Cisco's Support site are: asasfr-sys - 6.0.0 - 1005.pkg, asasfr-5500 x-boot - 6.0.0 - 1005.img and Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh. I guess the sys-asasfr - 1005.pkg - 6.0.0 is for CME, and the Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh is for the ASAs.Is that right?

    -How long will the update for FMC and ASAs? The ASA is a 5516 x and the release notes look like they say that the update will take about 41 minutes.

    ESXi 6.0 is not officially supported so that your experience may vary. If you get stuck, you may TAC by telling you that you're on your own.

    "Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh" is used to upgrade the fire ASA power module in the Manager of firepower.

    If you were a fabricated construction or reimage then you would use the boot images and sys respectively.

    41 minutes for CME is right. As mentioned Philip, 2 hours is a better estimate of the ASA module, especially on a smaller area as the X 5516.

  • multiple clients behind a NAT IPSec

    In our head office, I have a Pix 515e which acts as our VPN server.

    Several clients at a remote office are requiring VPN access to the corporate network, but can only connect at once. If a second connects the premiera is abandoned.

    I suspect that this is because they are sitting behind a Natted router and all share the same public address.

    When I was installing all first the VPNGroups I read an article that has discussed this problem and offered a solution, but I can't seem to locate it. Is this possible on a 6.3 (4) Version FOS Pix

    Denny,

    Sounds to me that you must enable (on your PIX, config mode):

    > isakmp nat-traversal

    Let me know if this helps and if she please post rates as if you need an explanation on the NAT - T then let me know.

    Jay

  • Site to Site VPN Possible behind routers NAT on both ends?

    Nice day

    After extensive research I have not found an answer so I turn to the community.

    I'm trying to help a friend facility a VPN but it's a scenario that I have not dealt and hope that someone has.

    Here's the basic scheme;

    Site 1 - 172.16.23.0/24

    Site 2 - 172.16.24.0/24

    (Site of ASA 1 - router 172.16.23.5) - Linksys w / static public IP - Internet - Linksys router w / static public IP-(ASA Site 2 - 172.16.24.5)

    Is this possible scenario with port forwarding?  The warnings, I need to watch out for?

    I read that I'll need a route to my ASA, say Site 1 ASA, who said... Route 172.16.24.0 255.255.255.0 1.1.1.1 (point to ASA local public IP).

    I also read I'll need one additional lane in my (site 1) linksys router that says... Route 172.16.24.0 255.255.255.0 172.16.23.5 (point to the local interface of the ASA)

    Thanks for all comments and suggestions.

    A

    Hi Adam,.

    You are right with a port forwarding, you can create an IPSEC tunnel, even if NAT is present on both ends.

    Also, NAT - T is a feature enabled by default on the ASA that automatically detects if the camera is behind a NAT and pass the IPSEC UDP 4500 port. Here is the syntax of the command:

    ASA (config) # crypto isakmp nat-traversal 20

    How NAT - T works

    So, here is a document for your reference build the VPN tunnel:

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/119141-configure-ASA-00.html

    About routing, all traffic will go out of the ASA using intellectual property where the card encryption is applied, routing on linkysys devices just take care that this IP is routed Internet and that there is connection between the 2 ASAs.

    It may be useful

    -Randy-

  • Using Cisco Client to site VPN on a behind a NAT ASA 5520

    I apologize if this has been asked and we answered in the forums.  I looked, and while I found a large number of entries that were dancing all around this question, I never found nothing which addressed this specific issue.   We currently use an ASA 5520 as the head end of a relatively large customer to site IPSEC VPN (approximately 240 users, not consecutively).   This ASA is currently sitting behind a Checkpoint firewall with a real publicly addressable IP address on its public interface.  All of our customers use the legacy Cisco VPN (not the one anyconnect) client.  We plan to a few controllers F5 link set up between ISPS and firewalls.   For VPN connectivity F5 recommends that we NAT IP address (called a broad IP) to point back to a private IP address on the ASA and F5.  My question is, will this work?   I've always heard say that the head of line needed to have a public IP address on this subject because this is what will be placed in packages for the client to respond to.

    For further information, here's what we have now and what we are invited to attend.

    Current

    ISP - router - firewall-fire - ASA (public IP address as endpoint)

    Proposed

    ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - Firewall - ASA (10.X.X.X as its external interface)

    Proposed alternative

    ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - ASA (10.X.X.X as its external interface)

    All thoughts at this moment would be greatly appreciated.   Thank you!

    Hello

    If there is a static NAT one by one on F5 to the external interface of the ASA, then I don't think they would be any problems.
    Because when the client will attempt to connect to IKE to the translated public IP, F5 will redirect the request to ASA outside interface that is configured for the VPN.

    In addition, to ensure the udp500, 4500 and esp is allowed and then you should be good to go.

    HTH

    Concerning
    Mohit

  • DMVPN behind a NAT

    Hello

    is there a way to configure a router as a router spoke, where it doesn't have a PUBLIC IP address?

    It's like this:

    Spoke router-> private-> NAT-> Internet-> DMVPN Hub router router IP

    I tried on 12.3 (14) T7.

    There is no problem to have talks DMVPN behind NAT.

    Empty:

    http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1060395

    Usually on a device with State there is no need to allow all ports for inbound traffic.

    However, UDP/500 and UDP/4500 will be required if you use the DMVPN or GRE tunnel protection if you don't protect it with IPsec.

    I suggest trying on a device with a more recent software. 12.4 (15) Tx or 12.4 (24) Tx?

    Marcin

  • VPN bewtween 2 PIX - 1 behind a NAT router.

    Hello

    I created 2 PIX with a VPN tunnel between them and it worked. Small was during a test well before that of PIX has been shipped to the location where it has been implemented (with of course the new addresses IP etc.)

    Now this PIX is placed behind a Zyxel router running NAT, and the tunnel will not simply come to the top. It is never further than the State of 'mm_sa_setup '.

    I am aware that the only thing that is different from when he worked is the NAT router damn, so I should be aware of this router? I'm going nuts: 0)

    Oh and btw. I use ESP-3des-sha.

    Thanks in advance,

    Rasmus

    When you activate the NAT - T, Cisco PIX automatically opens port 4500 on all active IPSec interfaces so you should be sure that the UDP 4500 port is not blocked between two PIX.

    Kind regards

    Mehrdad

  • Is it possible to put behind a NAT DMVPN hub? (Speaks has a public IP address)

    I he tried for a few days and couldn't make it work. The schema and configuration is in the attachment.

    Crypto isakmp profile: QM slowed down on both sides.

    Profile of crypto ipsec: NO ipsec profile established on both sides.

    Show ip PNDH (side hub): nothing is saved at all. Empty.

    Any ideas?

    Thank you!

    Difan

    As long as the HUB has a static nat translation it should work, try to set your transformation mode of Transport rather than tunnel on two spokes and hub, close your tunnel on the hub and the spokes and then turn it back on, does make a difference?

  • Firepower and WINscp - how to get the files module SFR

    Is anyone able to use WINscp to get a file to a module of sourcefire? I think that WinSCP has problems with the admin user do not enter expert mode by default.

    I have a windows environment and can not get the secure copy scp to work of SFR command to a server with port 22 open windows.

    You are right. Sourcefire module/sensor is not as SCP server you cannot use the winSC is there to connect. But it acts as a client PCS, so you can use firesight or any other SCP server and copy the files to the CPS server first and then use winscp to get out.

    For example.

    > expert

    > sudo scp/var/common/leader-to-be-copied [email protected] / * /-IP: / var/tmp

    This will copy the file to the directory/var/tmp in firesight. You can use any other SCP server as well.

    Rate if helps.

    Yogesh

  • ISAKMP nat - t

    For statement: isakmp nat - t

    What is it, or in what circumstances, should it be used?

    Thank you for helping.

    Scott

    the command "isakmp nat-traversal" should be applied to the vpn server when the vpn client is behind a nat/pat device.

    the reason being nat/pat on the client side will result in the ip original source to the IP (public) own peripheral nat/pat. When the vpn server receives, decrypts, and analysis package, it's going to come back with a mistake as the original source ip does not correspond to the

    for example

    Remote vpn client implements a remote vpn router and the client remote vpn is behind a nat/pat device, such as a router or pix.

  • SourceFire

    Hello

    I joined sourceFire module to our announcement, able to read the details of the AD, but whenever we create the rule in the access policy based on the user name in the AD, the policy does not apply but political source it works with the IP address.

    Whenever the user login in the system as a domain, that information user should receive the sourcefire Sourcefire agent but when we check the analysys-> user-> sourcefire user activity, the entry is not displayed.

    Kindly help us solve the problem.

    Thank you and best regards,

    Ashok

    I had similar problems until recently. the first part of the question is that the domain controllers should be configured to record events of opening/closing session. This is done through advanced audit policies, and I put mine through a GPO that I asked all the domain controllers.  The second problem I had seemed to be with the agent.  IP udated my agent to 2.3, dumped all the configurations original and readded my domain controllers.  It seemed to work only when I used the domain name FULL controller area or localhost for the domain controller, the agent has been installed on.  I used a service account domain admin for the polling stations.

    Finished last week and watched.  I notice in firesight my DC are now reporting one last time to report and my list of user events increased strongly.

  • relative to the registry key for a source of light module...

    HI guys.

    I, m nine with light source I end up reinstalling the soft sourcefire module because a replacement of the SAA on the asset. I got the ASA stanby with fire module running source.

    The previous network eng don't document the procedure, where can I find this key so that I can save the rebulit module.

    Register a device with a FireSIGHT Management Center: http://www.cisco.com/c/en/us/support/docs/security/firesight-management-...

    Thank you guys!

    Hello

    ASA via ssh login, do a session at sfr per order: session sfr and then once you are connected:

    > Display managers

    You can see in this registration key.

    I would like to know if that's what you're looking for?

    Kind regards

    Aastha Bhardwaj

    Rate if this is useful!

  • DMVPN router behind ASA - need help please.

    Hello

    After reading many other discussions on this topic, it appears with the correct IOS and NAT - T active router, you bring up DMVPN behind a NAT device.

    I tried to perform this task, but I can not even phase 1 going to the DMVPN. The routing was checked and I can ping the routers DMVPN public IP. I'm sure that the configurations for routers are good, but asked if any additional NAT is required on the ASA.

    Here is the topology:

    Plate rotating DMVPN > ASA > Internet > ASA > DMVPN Branch

    The SAA on the side of the hub is in our data center and in production with several site-to-site and traffic to DMZ. Devices DMVPN is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages are sent on the branch DMVPN router. Nothing in the hub and no hits on the ASA ACL. I tried both the public IP address and the private IP address of the ACL on the ASA.

    I have attached the relevant training and can post more if necessary.

    Thank you

    Brandon

    Hello

    I finally had time to laboratory it.

    I used this topology:

    I have

    ASA (config) # sh run nat
    NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
    NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
    !
    object network HUB
    dynamic NAT interface (INSIDE, OUTSIDE)

    ASA (config) # sh run access-list
    extended OUTSIDE permitted udp access list any HUB-ROUTER-REAL-IP eq isakmp object
    list access extended OUTSIDE permitted udp any eq HUB-ROUTER-REAL-IP 4500

    R2 #sh run inter t0

    interface Tunnel0
    172.16.0.1 IP address 255.255.255.0
    no ip redirection
    no ip next-hop-self eigrp 1
    no ip split horizon eigrp 1
    dynamic multicast of IP PNDH map
    PNDH id network IP-99
    source of tunnel FastEthernet0/0
    multipoint gre tunnel mode
    tunnel key 100000
    Tunnel ipsec DMVPN-IPSEC-PROFILE protection profile

    So it should be the same configuration that you use.

    The only thing is that I had to ' stop/no shut' tunnel interface and removing some config that I also need to clear the connection on the ASA using "clear conn."

    R2 #sh dmvpn
    Legend: Attrb--> S - static, D - dynamic, I - incomplete
    Local N - using a NAT, L-, X - no Socket
    # Ent--> entries number of the PNDH with same counterpart NBMA
    State of the NHS: E--> RSVPs, R--> answer, W--> waiting
    UpDn time--> upward or down time for a Tunnel
    ==========================================================================

    Interface: Tunnel0, IPv4 PNDH details
    Type: hub, PNDH peers: 2,.

    # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
    ----- --------------- --------------- ----- -------- -----
    1 200.20.0.10 172.16.0.2 UNTIL 00:11:28
    1 200.30.0.10 172.16.0.3 AT 00:11:22

    R2 #.

  • Cisco VPN Client behind PIX 515E,-> VPN concentrator

    I'm trying to configure a client as follows:

    The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

    Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

    You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

  • Validation of the IOS VPN peer identity IP with NAT - T

    I just lost a lot of time to understand this behavior of the IOS. My conclusion reached: If you work with the good old peer identity address validation in profiles ISAKMP and the peer you are talking about is located behind a NAT, you must use the private IP address of the peer in the command "adapter address of the identity". I thought that NAT - T takes care of the translation in all sections of required configuration, but here especially, seems not so much. The interesting thing is that for all other orders, you must use the public IP address.

    See the following example (showing only the relevant articles with statements by peer inside):

    door-key crypto OUR_KEYRING

    key pre-shared key address 1.2.3.4

    Crypto isakmp PROFILE_NAME profile

    VRF TEST

    key ring OUR_KEYRING

    function identity address 192.168.99.5 255.255.255.255

    OUR_MAP 6 ipsec-isakmp crypto map

    defined peer 1.2.3.4

    the value of PROFILE_NAME isakmp-profile

    Does anyone know if this is normal or if it is a bug? It would be useful and consistent if NAT - T changed the identity of the peer address during the phase 1 negotiation, then we would not deal with peer private addressing within site to site VPN configs. I also think of IP scenarios that overlap that may occur when you work with dealing with private peer.

    See the release of relevant debugging in the attachment, after documenting a failed connection attempt (using the public, NATted IP of the peer in the command 'fit the address of identity') and once a following connection attempt (using the IP private, internal counterpart).

    My router is a C2951 with IOS 15.3 (2) T2. The counterpart is an ASA (version & unknown config so far, but I'm sure that the other engineer did not indicate what it is using a private address in its config, despite my session from behind a NAT router, too).

    Thank you & best regards

    Toni

    Toni,

    Problem with identity is that it is an encrypted package (in Exchange MM) so cannot be changed in transit, so that a host may not know reliably it is the external IP address (it can make assumptions, but he doesn't know how long it is valid for).

    Also if you "NAT 'd" identity you can't the difference between two devices behind same NAT/PAT on end of answering machine.

    There are some implmentations IKE allowing IKE to identity type and value to specify manually. IOS not among them.

    Yes decouple us identity and peer of the intellectual property, it adds flexability with a few corner cases which may arrise.

    Yet another reason why NAT is evil?

    M.

Maybe you are looking for

  • With the help of the family sharing or itunes game

    I have iTunes game and sharing of family. Everything seems to work with the iTunes game for my equipment. My question is how do I set up my wife's iPhone to access our iTunes music game? My wife is my; Member of the family there.

  • Satellite A300-1IE - CPU usage high with Bluetooth active

    Hello! I recently installed Windows 7 and the Toshiba Software Installer on my Satellite A300-1IE. I have a problem with the bluetoothmanager, it's more than double the CPU usage when turned on. When I close the CPU usage goes down.This is not normal

  • Connection and configuration USB-485/2 2 son loopback

    I use the NI USB-485/2 with CVI box and managed to configure the ports of two 485 in mode 4 son, connects the ports for the Loopback tests and tested by sending data a port and reception of the same data in the second.  Now I want to change the confi

  • Error 0XC00D2751

    It says that an error has occurred in my digital rights management component. It happened when I tried to download an audio book from the library. I googled the error code and answering a question on this site and it says to download an update or som

  • How to map an address that is not in the address book

    Is it possible that I can map an address that is not in the address book? All the methods that I can find the card application to Invoke either take latitude and longitude, or they take an object of Contacts in the address book. I have just an addres