Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT - SECURITY MANAGEMENT

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get tips for the four pillars of success for managed security with Cisco expert Kunjal Trivedi. Kunjal helps shape Cisco's marketing vision and strategy for its managed IP VPN and security services. He joined Cisco in 1999 as a consulting engineer, working with customers that were creating large-scale routing, switching, and security solutions. Managing the embedded security features and the roadmap for Cisco IOS Software led him to influence security best practices deployment on some of the world's largest IP infrastructure networks, and he gained an understanding of the changing needs for securing network infrastructures.

Remember to use the rating system to let Kunjal know if you have received an adequate response.

Kunjal might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 21, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

31 REPLIES
Green

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi Kunjal, do you know why mac-auth-bypass was left out of the 2950's? Should we ever expect it to be added or was it a deliberate attempt to get you to upgrade to 2960's? Thanks.

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

MAC Authentication Bypass is supported on multiple platforms including Catalyst 2940 so your only option is not Catalyst 2960.

Feature roadmap related questions are best answered by the Product Manager for the products so I have asked Cat2950 PM team and as soon as they get back to me, I will rely the answer to you.

Finally, Cat2950 is EoL now, as following:

http://cco/en/US/products/hw/switches/ps628/prod_eol_notices_list.html

Best regards.

/kunjal

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

I would like to know what is the pro and con of using "ip tcp ajust-mss value" command versus "no ip mtu" command on the interface. Here is my issue. I was able to telnet or ftp from a router on this end of the network to other network which is where is my server located but I can't do that from the host. The ping with small packet from host working fine and the 10000 ping packet came back with 40-90% success and sometime it get better or worst depend on the ip mtu value. But one of the network person told me he got this to wrok by adding the "ip tcp adjust-mss 1289" to the interface, I am not convinced this is the good solution. I think this is a work around solution and I think if I remove the ip mtu 576 from the interface this should fix this problem. The interface I am using is ppp via ospf.

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

The TCP MSS value specifies the maximum amount of TCP data in a single IP datagram that the local system can accept (reassemble). The IP datagram can be fragmented into multiple packets when sent. Theoretically, this value can be as large as 65495, but such a large value is never used. Typically, an end system uses the "outgoing interface MTU" minus 40 as its reported MSS. For example, an Ethernet MSS value is 1460 (1500 - 40 = 1460).

In 12.2(4)T, this feature was introduced.

If you change the interface MTU (router or end node) then all systems connected to the same broadcast domain (wire and hub) must run the same MTU. If two systems on the same broadcast domain do not use the same MTU value, they will have trouble communicating when packets (larger than the small MTU but smaller than the big MTU) are sent from the system with the larger MTU to the system with the smaller MTU.

So by using ip tcp adjust-mss 1289/value, you will be able to solve your issue.

Best regards.

/kunjal

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

hi kunjal i am intrested of buying cisco 7600 router,for my company in nigeria and i have about 5 brach offices in one state i wanted to know may be it can provide wireless service to other branch and the range of this offices is 15mils to 20mils to inch other and iwanted to know the price .

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

hi kunjal i am intrested of buying cisco 7600 router,for my company in nigeria and i have about 5 brach offices in one state i wanted to know may be it can provide wireless service to other branch and the range of this offices is 15mils to 20mils to inch other and iwanted to know the price .

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

We have used Cisco Catalyst® 2950G-24 switch for Networking. We have configured that switch. Now IP of Server connected with that Switch is 192.168.0.2. Now some data, we want to collect from another Ethernet Device (IP address is 192.168.1.21) which is connected to one Hub. We connect Uplink of that Hub to Cisco switch via straight Ethernet cable. But we do not get data.

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

i have several site to site VPNs on my ASA so i am obliged to do : "no sysopt connection permit-vpn" in order to deny access to people from other sites to access my network, but as i do so i cannot access the ASA with remote vpn, i can still access everything on my network remotely except i cannot access the ASA itself via SSH, it gives : deny access from ... to outside 192.168.0.1/22 (192.168.0.1 is on the inside!)

is there a solution, an access-list that should be open or something ?

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi, Please review applying the filter (vpn-filter) as part of the group-policy.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1524559

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wpmkr1157979

vpn-filter

To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.

You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.

vpn-filter {value ACL name | none}

no vpn-filter

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

It may be the case of running port mirroring from the port where traffic is being uploaded to the port where traffic is being collected:

A SPAN port monitors traffic of a single port from a single network analyzer or RMON probe.

• Remote SPAN (RSPAN) allows network administrators to locally monitor ports in a Layer 2 switch network from any other switch in the same network. Bidirectional RSPAN is supported when the switch is used as a source switch only.

Please check (I can not really tell accurately if you need SPAN or RSPAN command from your details) if you need to run this command.

More details are at:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb64.html

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Daers,

I have a problem with ASDM 5.2 Installation in my Pc

(Windows Xp SP2; IE 7.0 ;Java 1.6.0)

Installation process appear the next Freeze the message " checking software version dependencies --67% "

Currently running the CiscoView Device Manager ,no problems

Can I have help from you to solve the problem ?

Thanks

Armando

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

I have a Cisco PIX 525 firwall 6.6(3) with three interfaces inside (192.168.x.x)

outside (67.x.x.x) and

DMZ (172.16.x.x)

I have a IPSec site-to-site VPN tunnel to remote site 10.50.x.x. My hosts in inside network have no problem communicate with remote site using their native IP addresses, (192.168.x.x <---> 10.50.x.x). My inside hosts communicate with DMZ hosts by NAT their address from 192.168.x.x to 172.16.x.x.

How can I create a 1-to-1 NAT for remote hosts to DMZ, 10.50.x.x --> 172.16.x.x. Hosts in remote site need to access hosts in DMZ, and DMZ need to access remote hosts, DMZ hosts will only accepte IP address in 172.16.x.x. Thanks.

Also, my PIX's serial # is 44406180332, my support contract should not expire yet.

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi Raymond,

Try to create statics for the DMZ?

static (DMZ,outside) 67.x.x.x 172.16.x.x netmask 255.255.0.0

This, of course, depends on if you have a pool of 'outside' addresses you can use to statically assign to your DMZ hosts.

Regards.

/kunjal

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

i have cisco 2801 router how can i block single IP and can i block sites for one IP or not Inf and configuration ways

best regards

Hashmatullah

Re: ASK THE EXPERT - SECURITY MANAGEMENT

I've a problem between CSA and MARS. CSA is configured to send the logs to the MARS and it is configured in MARS too. CSA has 4 thousand agents reporting to it but MARS has not installed automatically none of those agents.

Model's MARS is 110R with 5.3.1 and CSA has 5.x

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

We have used Cisco Catalyst® 2950G-24 switch for Networking. We have configured that switch. Now IP of Server connected with that Switch is 192.168.0.2. Now some data, we want to collect from another Ethernet Device (IP address is 192.168.1.21) which is connected to one Hub. We connect Uplink of that Hub to Cisco switch via straight Ethernet cable. But we do not get data.

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

We have used Cisco Catalyst® 2950G-24 switch for Networking. We have configured that switch. Now IP of Server connected with that Switch is 192.168.0.2. Now some data, we want to collect from another Ethernet Device (IP address is 192.168.1.21) which is connected to one Hub. We connect Uplink of that Hub to Cisco switch via straight Ethernet cable. But we do not get data.

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Again me. Is supported the OS 5.4 version of a Netscreen device in MARS?. Many thanks

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

amspowerelect,

Did you check the following posting?

Hi,

It may be the case of running port mirroring from the port where traffic is being uploaded to the port where traffic is being collected:

A SPAN port monitors traffic of a single port from a single network analyzer or RMON probe.

• Remote SPAN (RSPAN) allows network administrators to locally monitor ports in a Layer 2 switch network from any other switch in the same network. Bidirectional RSPAN is supported when the switch is used as a source switch only.

Please check (I can not really tell accurately if you need SPAN or RSPAN command from your details) if you need to run this command.

More details are at:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb64.html

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hello,

In ICND part 2 v1.0 on page 8-31 is mentioned "CHAP ... occurs at the startup of a link and periodically thereafter te verify the identity ...". My question is: what's the default periodicity if there is one, and how can we change or configure it and verify ?

Thanks in advance for your response !

Herman Claes, JCA Belgium

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

I have ACS for windows to do tac with my Cisco Gear,

I have RSA Secure ID for VPN and eventually I would like to use with routers and switches on a limited basis,

I have MS AD and IAS and I would like to use this for authentication with windows Expiry features.

Questions:

1. should I use ACS to "tie" all this together so that I have a central place to collect logging? (i.e.is ACS the best for this)

2. What is being done in the industry?

3. Why does ACS only have one AD Connector? I have several forests I need to authentcate with.

4. What's everybody else doing for two factor authentication.

I have spoke with lots of vendors, CCIE's, etc and everybody seems to scratch there head when you need single sign on and the ability to tie two-factor fobs with Windows accounts.

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi!

I have some questions about ASA 5510

My ASA have IOS 7.06, ASDM 5.06

Work good.

Now I want to write (update) new IOS 7.21 and new ASDM 5.21 into Cisco.

Before I worked with router and noany problem with backup and update IOS.

ASA have activation key and Licensed.

Can I have problem with activation key and Licensed after update IOS and ASDM?

What's first to do: update IOS, after ASDM

or first update ASDM and after IOS

thank's

Valery

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi, I have implemented rogue ap detectecion and port suppression on the switches with a WLSEE. This feature work fine in the entire network except in a catalyst 3750 stack (WS-C3750G-48PS-S ver. 12.2(25)SEC). In that stack it founds the rogue ap, detects the port where it is connected but the suppression fails. I have attached the WLSEE log

Thanks

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Kunjal,

I have an ASA 5520 with version 7.2(1)13. I have few vpn groups for remote users to vpn to the corporate resources. To restrict access to the corporate LAN, I created filters (ACL) and decided to disable split-tunnelling since internet connection through the ASA is not tunnel and unsecured.

My question under the group policy for the vpn groups, I have an option for the groups to inherit client firewall from the ASA. How does the inheriting firewall settings on the ASA work if a user connect via VPN (Cisco vpn client) to the ASA without any firewall protection on their laptops?

Also can i stop users connecting to ASA without any firewall protection?

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Also is it possible to build a custom firewall on the ASA and download it to a mobile uer laptop everytime they connect?

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

I have a dial 5350XM server for around 200 dial up users who have no internet access. Can we configure it to authenticate with rsa tokens to an corporate ACE server which is also being used for VPN? If so how do we do it?

Thanks

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.

So i know for sure my config is wrong.

Can someone help pls..

Here is my config:

ip inspect name firewall ftp

ip inspect name firewall http

ip inspect name firewall dns

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall https

ip inspect name firewall smtp

ip inspect name firewall ssh

ip inspect name firewall telnet

ip inspect name firewall pop3

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

no ip route-cache cef

no ip route-cache

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

ip address 99.1.10.11 255.255.252

ip access-group 100 in

no ip redirects

no ip proxy-arp

ip inspect firewall out

ip nat outside

ip nat inside source list 101 interface Serial0/0/0.1 overload

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 time-exceeded

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 packet-too-big

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 traceroute

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 unreachable

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

--------------------------------------------------------------------------------

Replied by: p.holley - Dec 19, 2007, 2:12pm PST

This is what I got when I enabled audit-trail for pop3

Dec 19 2007 17:50:12.151 UTC: %FW-6-SESS_AUDIT_TRAIL: Stop pop3 session: initiator (192.168.0.134:1503) sent 70 bytes -- responder (99.1.20.2:110) sent 1577 bytes

This is the error message the user got on their PC.

Your message did not reach some or all of the intended recipients.

Subject: test

Sent: 12/19/2007 5:51 PM

The following recipient(s) could not be reached:

'tom@hotmail.com' on 12/19/2007 5:51 PM

550 5.7.1 <tom@hotmail.com>... Relaying denied. IP name possibly forged [99.1.10.11]

99.1.10.11 is the ip address of my router to the public internet.

Any ideas

Also this is for only outgoing emails, incoming works.

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

I will try to Put my question in as small as possibl1 :).

Well, we have 10 offices connected by MPLS / VPN by service provider. We have one main office where all major servers are installed and applications are running on those servers. Some applications use HTTPS and some dont use any security . Some data is flowing in clear text. So we plan to have Site-to-site VPN between all locations to main locations. So if we upgrade all IOS to advance security IOS and configure site-to-site VPN , will our HTTPS application work properly. ( as it is application level and site-to-site will be at n/w layer ).Or configuring site-to-site VPN will give any problems to HTTPS.

Please guide.

Thanks in advance.

Subodh Bapat

New Member

Re: ASK THE EXPERT - SECURITY MANAGEMENT

Hi,

We are using ASA and we are using ASDM GUI tool to configure the devices. also we are using SDM ,( http )for routers . Does using GUI is security threat ? Is it recomended to to use command line interfaces to configure devices insted of GUI.

Please guide.

Thanks in advance

Subodh Bapat

131
Views
0
Helpful
31
Replies
CreatePlease to create content