Tripwire to PIX/IOS/CatOS agents?

Similar Questions

• PIX, IOS ipsec troubleshooting commands

  I'm checking isakmp and negotiate IPsec between a PIX 535 and a router in 1711, but do not have knowledge of the command to check the Phase 1 and Phase 2 on both devices. They ping each other, then connectivity is not a problem, but I have no evidence of the negotiations going on on the other end.

  Does anyone know what the ' see the #' orders are to check active negotiations of Phase 1 and Phase 2 between these boxes?

  Thank you

  Marc

  Hi Marc,

  The basic display orders are ' show crypto isakmp his ' ' show crypto ipsec his ' to show active sessions in search "QM-IDLE" on the isakmp his and active incoming and outgoing his on ipsec.

  Debugs is also useful for establishing where a problem might ask. "debug crypto isakmp" debug crypto ipsec' ''(router only) engine debug crypto.

  The following doc is a good source of info.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml

  Good luck

  Paul.

• Update IOS E PIX 506

  Hello

  I have a 506th pix, with 6.3 (4) version of ios. What would be the next or last version I can go to my box would be favorable.

  Correct me if m wrong, I heard that I can't move my box to PIX IOS 7...

  see you soon

  Ramp

  Hello

  The last version that supports the 506E is 6.3 (5) - Although it was matter of getting the 506E to support version 7, that he has not appeared and with the release of the ASA 5505, I suspect 6.3 (5) will be the latest version.

  HTH

  Andrew.

• The VPN client VPN connection behind other PIX PIX

  I have the following problem:

  I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

  So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

  I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

  Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

  If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

  305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

  194.x.x.x is our customer s address IP PIX

  I understand that somewhere access list is missing, but I can not understand.

  Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

  Can you please help me?

  Thank you in advan

  The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

  I've cut and pasted here for you to read, I think that the problem mentioned below:

  Question:

  Hi Glenn,.

  Following is possible?

  I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

  The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

  My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

  Thank you very much for any help provided in advance.

  Response from Glenn:

  First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

  fixup protocol esp-ike

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

  If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

  ISAKMP nat-traversal

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

  NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

  ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

  A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

  NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

  Hope that helps.

• Subject of LCA in PIX?

  I use version 7.x PIX IOS.

  I have a very basic question about the ACL. As cisco router IOS in each access list it is an implicit deny a whole at the end of the default ACL. Is the same rule apply to the PIX ACL or we write explicitly refuse at the end of the instructions of the ACL?

  Hello

  By default, all access lists have an implicit refusal unless you specify explicitly allowed.

  I hope this helps.

  Glen

• CSA installation

  Hello, I am quite fluent with pix/ios and understand the foundations. I will be installing my first CSA soon. Is good enough to achieve online documentation?

  TIA

  Jerome

  CSA are then automatically disabled when installed.

• How can I remove 1 ip address of a given interface

  Without having to remove all of the IP addresses. I'm under 6.2 PIX IOS.

  Thank you

  CRR

  Try

  .. (config) #ip address 127.0.0.1 255.255.255.255

• Support SSHv2 matrix

  Someone has a link to a table that indicates the minimum level of necessary IOS/CATOS by switch type, including the type of card sup, to support SSHv2?

  Does anyone have a link to a matrix that shows the minimum IOS/CATOS
  
  level needed by switch type, including the sup card type, to support
  
  SSHv2?

  Hello

  I will recommend you to use the Feature Navigator tool

  http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

  Once you've opened it click Search by function and set SSH V2 from there, and will list you all releases and platform based your selecetd feature.

  genrally if you want to know if an image on a particular device supports SSH check the name of the image and look for "k9" anywhere in the name.  It is a code that appears in the active CRYPTOGRAPHY IOS images, which is what it takes to SSH.

  Hope to help

  So useful don't rate

  Ganesh.H

• "vpn 3002 hardware client" and any other vpn device

  When I do a session between the customer Hardware 3002 3000 and remote site vpn series concentrator or PIX or router to the central site. "Server has" is located at a remote site and 'Server B' is located at the Central site. "Server has ' and 'Server B' communicate with IPSEC Tunnel. I know that "Server A"(sur un site distant) can initiate a session of "Server B" "(central site)." Is it possible that initiate (central site) of "ServerB"a session of "Server A"(remote site)? ".

  Hi sbjeong,

  If you use the NMS on the 3002, two servers can initiate traffic in the event where the IPSec tunnel between your 3002 and Server VPN (PIX, IOS, VPN3K) is established

  Jean Marc

• How to grant local LAN access when you are connected via a central-site

  I know how to activate the local LAN access in the properties for the client connection, but I don't know how to allow access to the central site

  Central site is a CISCO 1721 with module as well as IOS IPSEC VPN

  tanks for any help

  Hello

  This feature is only supported when you connect to a VPN3K box, its not available for PIX/IOS as a vpn server, allowing it on the client-side custom has no effect when you connect to a server of PIX/IOS.

  THX

  AFAQ

• Do you need a VPN L2L NAT

  Hi all

  I need to create a VPN L2L tunnel between us and another local company. We use a 3845 router and the other carrier uses a 3745 router. I created a lot of VPN tunnels in the past using NAT. In this case, I don't have to. is it possible for a tunnel VPN work with the same configuration without using NAT. My router and the device being connected to all have a public IP address on the same subnet.

  Thank you

  Stevan

  Hello

  Yes, you can create L2L without having to use NAT.

  See the examples of configuration (under VPN Site to Site with PIX/IOS):

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html

  Before that, you have probably more experience configuration tunnel as shown in the url below:

  http://www.Cisco.com/en/us/Partner/Tech/tk583/TK372/technologies_configuration_example09186a00800949ef.shtml

  Rgds,

  AK

• Microsoft RPC (MSRPC) support

  All,

  I have a Windows Server inside my firewall which service must be reached via Microsoft-style RPC (MSRPC) by customers who are outside. How to set the proper firewall? (In which case it is important, the code is FWSM Firewall Version 2.3 (1).)

  If I understand correctly, MSRPC works as follows. (Please alert me on mistakes.) The customer wants to use a service that provides the server, but the service was not a well known port number. Instead, the service is identified by a famous 'programme number.' The customer contacts 135/tcp port on the server, specifies the number of program of your choice and says on what port number of the service is listening. The customer then proceeds to contact service in the usual way (fee connection; full negotiating TCP) on the port, that he learned to use.

  This behavior is a problem. The firewall must allow second connection of the client, but the port of destination may not be known (or so configured in the firewall) in advance. In support of MSRPC, therefore, I expect the firewall to have a correction. There no one for MSRPC, if it is of * seem * to have a non configurable for Sun RPC style. (See PIX Firewall & VPN Config Guide p. 5-29) It is supposed to be a SunRPC correction, example of the documentation implies that you just need to identify the service port forward using "rpcinfo" on the client, and then configure the firewall in a static way. Is it really a good idea? It is possible for the service to use a different port at different times, correct? And how is what is considered fixup? (What correction happening?)

  In any case, documentation mentions MSRPC again in the Appendix devoted to support MS Exhange and suggests the use of the command 'established '. Documentation for this command, however, said that it "allows outbound connections back through the PIX firewall access.» In my case, I am concerned by the incoming connections.

  Thanks a lot for any advice you can offer.

  Christopher Ursich

  I'm not a PIX / IOS fix up for this. But it's how Microsoft is going to solve this problem:

  http://msdn.Microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

  < very="" brief="" summary="" of="" the="" above="" document="">>

  Restrict the range of TCP Ports

  There are several registry settings that control the functionality of DCOM ports restriction. All of the below named values are located under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet registry (that you must create). Remember, just do it on the server machine. Customers will automatically get port numbers right when they connect to the MCU on the server machine.

  Name ports

  Type REG_MULTI_SZ.

  Value of 3000-4000 (specify a port range per line. One or more ranges of ports. )

  Your firewall configuration

  The firewall between your server and the Internet must be configured as follows:

  Refuse all incoming traffic from the Internet to your server.

  Allow incoming traffic to all customers for the TCP 135 port (and the port UDP 135, if necessary) on your server.

  Allow incoming traffic from all the clients to TCP ports (UDP ports and, if necessary) on your server in the range of Ports (s) indicated above.

  Volker greetings

• VLAN on a Cisco 3750 G

  A VLAN is created on a Cisco 3750 G with the last IOS a 'good' way to secure a vmware network?  In this case, I'm hiding vmotion traffic, and the entire network is behind a firewall.  I realize, it would be better to have dedicated and isolated switch, but it's a VLAN on a reliable and secure Cisco switch? Or safety lies elsewhere, for example, encrypt the vmotion traffic or ACL solid?

  Sly-

  I think you got it nailed in your post there are some things you need to do when using VLANs to avoid trouble. The vulnerability referred to as Tom has to do with IOS/CatOS decoding of the VTP frames - just like we see in the Windows RPC/NetbIOS or SMB/CIFS vulnerabilities or other remotely exploitable vulnerabilities, it is possible to design a framework with malicious content that could overflow a buffer, string handling (uncommitted entry), double - frees, etc.. This type of vulns found often by "fuzzing" where you create bad images or images partially wrong and feed them in the unit under test, in the hope of finding an accident or create a denial of service. I remember simple tools like CITI (IP Stack Integrity Checker) to validate the equipment running and occasionally would cause you a switch to plant, especially the more IOS. So it is not limited to any control plane protocols such as VTP, this can also happen in the data plan. The data plan is much more robust because it is attack surface area is much more exposed to attacks that the protocols as VTP and a large number of problems have been corrected. If you look back in history, there are tons of questions of security in the Cisco data plan and other gear in less used features as options of ownership intellectual, management, the fragment of the types and codes rarely used ICMP, TCP sequence overflows. Now, I bet that if the security research community concentrated early protocols such as CDP, VTP and STP - you would have seen several vulnerabilities earlier.

  So to say "don't use VLANs otherwise, you are vulnerable due to a VTP vulnerability" is equivalent to say do not run IP using Cisco routers/switches when both IP and ICMP vulnerabilities exist in the data plan.

  Now, if you had followed that Cisco and other L2 switches providers recommend, you could be not to expose your VTP domain for such attacks and therefore, you are not vulnerable. Just as you would not expose your switches to receive Spanning Tree BPDU or dynamic routing of packets of protocol like OSPF, ISIS, or BGP of unapproved of speakers. Take a look at a blog I posted w/r/t this topic:

  http://blogs.VMware.com/Networking/2009/06/lets-talk-security-DMZs-VLANs-and-L2-attacks.html

  There is a lot of fear in the community about the attacks of L2, because networks and network devices are often a mystery to people server and a bad configuration L2 could be a source of security and stability problems. It is important to educate the community on the possible exposures, and VMware and other leaders of the market as Cisco take the responsibility to do.

  Disclosure on my part - I'm talking to and had operational experience of implementation and now one of the largest networks of data center global worldwide (Global Crossing/GlobalCenter-> later became the exodus-> Savvis) as one of network engineers senior and even 10 years back we would have data center with massive switch of the fabric that the guests accommodated like Yahoo , Ask Jeeves, etc. - isolated and segmented using VLANS. If you go in a large data center hosted today, you certainly would not get your own physical switch and backbone uplink - you would like to share a 6500, a foundry for 100 + often other customers or the great extreme.

• IPSec between an IOS device and a PIX

  Hello

  I'm not able to successfully establish an IPSec tunnel between an IOS (2600 router) box running 12.3 (9) and PIX501 pixos 6.2 running. I see the following error on 2600.

  * 06:09:50.416 Mar 10: ISAKMP (0:1): retransmission phase 1 MM_SA_SETUP...

  * 06:09:50.416 Mar 10: ISAKMP (0:1): will increment the error counter on his: broadcast

  Phase 1

  And on PIX501 following error message:

  ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

  to return to the State is IKMP_NO_ERROR

  crypto_isakmp_process_block: CBC 9.8.1.2, dest 9.2.1.2

  Exchange OAK_MM

  ISAKMP (0): processing KE payload. Message ID = 0

  ISAKMP (0): processing NONCE payload. Message ID = 0

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): Peer Remote supports dead peer detection

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): addressing another box of IOS!

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): provider v6 code received xauth

  to return to the State is IKMP_ERR_RETRANS

  crypto_isakmp_process_block: CBC 9.8.1.2, dest 9.2.1.2

  Exchange OAK_MM

  I am able to ping the external interface of a box form another. Any idea what I might be missing?

  Thanks in advance,

  Krishna

  The commands that I configured on 2600 as follows:

  crypto ISAKMP policy 1

  md5 hash

  preshared authentication

  Group 2

  life 1200

  cisco key crypto isakmp 9.2.1.2 address

  ISAKMP crypto keepalive 50 10

  !

  life 1800 seconds crypto ipsec security association

  !

  Crypto ipsec transform-set esp - esp-sha-hmac krishnas

  !

  !

  Krishnas 1 ipsec-isakmp crypto map

  defined peer 9.2.1.2

  game of transformation-krishnas

  match address krishnas

  !

  !

  !

  !

  interface FastEthernet0/0

  IP 192.168.243.1 255.255.255.0

  automatic speed

  full-duplex

  !

  interface FastEthernet0/1

  Description outside the interface to the cloud

  bandwidth 10000

  IP 9.8.1.2 255.255.0.0

  automatic speed

  Half duplex

  card crypto krishnas

  !

  !

  krishnas extended IP access list

  IP 192.168.243.0 allow 0.0.0.255 192.168.244.0 0.0.0.255

  The commands that I configured on PIX501:

  IP 192.168.244.0 allow Access-list krishnas 255.255.255.0 192.168.243.0 255.255.255.0

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-sha-hmac krishnas

  Krishnas 1 ipsec-isakmp crypto map

  card crypto krishnas 1 corresponds to the krishnas address

  krishnas 1 peer set 9.8.1.2 crypto card

  card crypto krishnas 1 the transform-set krishnas value

  krishnas outside crypto map interface

  ISAKMP allows outside

  ISAKMP key cisco address 9.8.1.2 netmask 255.255.255.255 No.-xauth No.-config-mode

  isakmp identity = address

  ISAKMP keepalive 50 10

  part of pre authentication ISAKMP policy 1

  of ISAKMP policy 1 encryption

  ISAKMP policy 1 md5 hash

  Group of ISAKMP policy 1 2

  ISAKMP policy 1 life 1200

  Hello Krishna

  If possible and feasible to try and downgrade the IOS 12.3 (9) to a low-level code as 12.3.6. But, make sure that the image is a single k9 and supports VPN. Also upgrade the pix to 6.3.3.

  Assuming that the keys are the same, your configs find ok. Him debugs it seems its not able to pass from the phase 1 properly

  could contribute to modify the code.

  Concerning

  Wakif

• is eazy customer vpn is supported only on the routers of the 800 pix 7.0 series iOS

  I'm eazy vpn with pix 7.0.4 ios with a 3640 router. the 3640 router is like aeazy vpn client. and the pix as the eazy vpn server. the client connect and continues to ask the xauth parameter. I read in the release notes that requires this vpn eay 12.2 and especially sure ios for 806 routers. the pix also does support eaxy customer vpn routers fo 800 series only. urgent help required. If this true pix sucks big time. they force us to buy routers.they become like microsoft. pls help

  Assane

  According to this document

  http://www.Cisco.com/en/us/products/sw/secursw/ps5299/index.html

  Cisco Easy VPN remote is now available on Cisco 800, 1700, 1800, 2800, 3800 and series UBR900 routers, Cisco PIX 501 security equipment and 506th and Cisco VPN 3002 hardware Clients.

  So no support to 3640...

  M.

  Hope that helps if it is