Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- configuration and troubleshoot WSA and https proxy

Coming this summer: Cisco Support Community and Cisco Communities are merging. Learn more

Security Blogs

804 Views
4 Comments

Here is what I found on the Meltdown and Spectre Bug info so far.  Please feel free to add.  Please do your research and confirm with your vendor(s) before taking action.  This post is for informational purposes only.

 

 

Article on Meltdown and Spectre bug

https://meltdownattack.com/

 

VMware article:

https://www.vmware.com/security/advisories/VMSA-2018-0002.html

 

Microsoft article about speculative side-channel execution:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

 

Cisco - TBA?


Cisco articles on this:

https://supportforums.cisco.com/t5/other-security-subjects/x86-bug-cpu-insecure/td-p/3305426

x86_bug_cpu_insecure

184 Views
0 Comments

I am currently building python scripts to automate Cisco ISE configuration.

 

Going through ISE documentation, I am exploring some errors in the python examples which won't work for ISE 2.3. I will be posting the corrections while I am exploring them. 

 

The first one was in "get-all-internal-users.py" example. 

 

ISE 2.3 doesn't support TLS 1.0 by default. Instead it supports TLS 1.2. 

 

The default script:

 

###########################################################################

#                                                                                                                                                  #

# This script demonstrates how to use the ISE ERS internal users                                                 #

# API  by executing a Python script.                                                                                             #

#                                                                                                                                                 #

# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                                        #

# The script allows connections to SSL sites without trusting                                                       #

# the server certificates.                                                                                                              #

# For production, it is required to add certificate check.                                                               #

#                                                                                                                                                 #

# Usage: get-all-internal-users.py                                                                                               #

 
 

###########################################################################

 

import http.client

import base64

import ssl

import sys

 

# host and authentication credentials

host = sys.argv[1] # "10.20.30.40"

user = sys.argv[2] # "ersad"

password = sys.argv[3] # "Password1"

 

 

conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

 

creds = str.encode(':'.join((user, password)))

encodedAuth = bytes.decode(base64.b64encode(creds))

.........

 

This won't work due to SSL version mismatch

 

The correct version is:

 

###########################################################################

#                                                                                                                                                  #

# This script demonstrates how to use the ISE ERS internal users                                                 #

# API  by executing a Python script.                                                                                             #

#                                                                                                                                                 #

# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                                        #

# The script allows connections to SSL sites without trusting                                                       #

# the server certificates.                                                                                                              #

# For production, it is required to add certificate check.                                                               #

#                                                                                                                                                 #

# Usage: get-all-internal-users.py                                                                                               #

#                                                                                                                                                 #

# The script should be modified to use SSL TLS v1.2 instead of TLS v1.0                                    #

# This is required for ISE 2.3                                                                                                        #

###########################################################################

 

import http.client

import base64

import ssl

import sys

 

# host and authentication credentials

host = sys.argv[1] # "10.20.30.40"

user = sys.argv[2] # "ersad"

password = sys.argv[3] # "Password1"

 

 

conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))

 

creds = str.encode(':'.join((user, password)))

encodedAuth = bytes.decode(base64.b64encode(creds))

.......

48 Views
0 Comments

 

28 Views
0 Comments

1. Configurando firewall de fabricación tengo problemas para comunicar la interfaz con todas las subredes solo tengo comunicación con la misma red de la dirección adentro

 

2. En que modo tienen que estar configurado el switch core y el ASA para que tengan comunicación 

350 Views
0 Comments

This Article explain way to back and restore configuration of ASA running on Firepower 2100 series platform.
When you run ASA on Firepower 2100 platform, you have two software, FXOS and ASA on the platform. You need to backup config on both software. As on ASA 9.8.2, you can backup ASA config using Copying "show running-config". FXOS needs manual configuring.

 

Backup ASA Configuration:


ASA Configuration can be backup with any one of below items. 


1) Copy running-config ftp:/scp:/smb:/tftp: (Copying ASA running configuration to ftp, scp, SMB, tftp, through Management or any of data interfaces) 


2) Copy startup-config ftp:/scp:/smb:/tftp: (Copying ASA running configuration to ftp, scp, SMB, tftp, through Management or any of data interfaces) 


3) Simply copy (show running-config) and paste to text file

 

Restoring ASA Configuration: 


Restoring ASA config to ASA can be either of below steps. 


1) Simply copy past ASA config file on ASA console/Terminal.


2) Copy ftp:/scp:/smb:/tftp: running-config

FXOS Configuration Backup & Restore:

Since FXOS on FP2100 doesn't have backup option, all configurations need to be noted down manually. "show tech-support fprm" can be also used, which have some of below configuration. 
You may use FCM Firepower Chassis Manager or FXOS CLI to configure below parameters.

 

Firepower Chassis Manager: https://<FXOS-IP>

 

Screen Shot 2017-12-05 at 1.55.13 PM.png

 

 

Management IP address for FXOS:
firepower-2110#Scop fabric-interconnect a
firepower-2110 /fabric-interconnect #set out-of-band static/DHCP

DNS Config:
firepower-2110#Scope system
firepower-2110 /System#Scope Services
firepower-2110 /system/services # create dns

 

NTP / Time Config:
firepower-2110#Scope system
firepower-2110 /System#Scope Services
firepower-2110 /system/services #set clock
firepower-2110 /system/services #set timezone
firepower-2110 /system/services #create ntp-server

DHCP Server:
firepower-2110#Scope system
firepower-2110 /System#Scope Services
firepower-2110 /system/services #enable dhcp-server

Interface Port-Channel and interface allocation:
firepower-2110# scope eth-uplink
firepower-2110 /eth-uplink # scope fabric a
firepower-2110 /eth-uplink/fabric # create port-channel

 

Https/SSH Service Enable/Disable:
firepower-2110#Scope system
firepower-2110 /System#Scope Services
firepower-2110 /system/services #enable/disable https/ssh-server

FXOS HTTP/SNMP/SSH Access/Restriction:
firepower-2110#Scope system
firepower-2110 /System#Scope Services
firepower-2110 /system/services # create ip-block
firepower-2110 /system/services # create ipv6-block

FXOS domain Configuration:
firepower-2110#Scope system
firepower-2110 /System#Scope Services
firepower-2110 /system/services # set domain-name

SYSLOG:
firepower-2110#Scope system
firepower-2110 /system # scope monitoring
firepower-2110 /monitoring # enable/disable syslog

FIPS & Common Criteria:
firepower-2110#Scope system
firepower-2110 /system # Scope security
firepower-2110 /security #enable/disable cc-mode     {Common Criteria}
firepower-2110 /security #enable/disable fips-mode   {FIPS}


Local User:
firepower-2110#Scope system
firepower-2110 /system # Scope security
firepower-2110 /security # create local-user / set password

Hostname:
firepower-2110#Scope system
firepower-2110 /System# set name

Session timeout:
firepower-2110#Scope system
firepower-2110 /system # Scope security
firepower-2110 /security # scope default-auth (set session-timeout)

 


106 Views
0 Comments

AnyConnect 4.5MR3 (03040) for Windows, macOS and Linux is now available 

 

Release notes: 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/release/notes/b_Release_Notes_AnyConnect_4_5.html#reference_yhp_24c_ybb

 

Software download:

https://software.cisco.com/download/navigator.html?mdfid=283000185&i=rm

 

(Requires Active AnyConnect 4.x term/contract). 

Please direct any questions on software download issues to anyconnect-pricing@cisco.com

 

34 Views
0 Comments

Good morning,  we intend to use the AnyConnect Apex license on the ISE platform,  but when attempting to download the software it requests an ASA serial number?????

Read more...

2156 Views
4 Comments

Introduction: 

Firepower 2100 series platform can run either FTD or ASA software. 

When Firepower 2100 series platform running ASA, has two software, FXOS and ASA. Both have its own management IP address and share same physical Interface Management  1/1. 

Both ASA and FXOS has its own authentication, same with SNMP, Syslog and tech-support logs. 

 

Screen Shot 2017-10-06 at 2.51.22 PM.png

 

Toggle between FXOS & ASA prompt: 

From FXOS prompt, you can use "connect asa" to go to ASA prompt, "exit" to come back to FXOS. 

From ASA prompt, you can use "connect fxos" to go to FXOS prompt, "exit" to come back to ASA. 

When using Console, you'll login to fxos prmpt. 

ssh/telnet to ASA Management IP to access ASA. 

ssh to fxos management IP to access FXOS. 

 

ASA & FXOS Management: 

Screen Shot 2017-10-06 at 3.20.59 PM.png

 

In order to manage ASA, you have ASDM or CLI (SSH, Telnet). To manager FXOS, we have CLI and FCM-Firepower Chassis Manager - Browser base GUI tool. 

 

FXOS useful configurations:- 

The Default IP address for FXOS IP address for FP2100 running ASA is 192.168.45.45. 

 

Verify & Configuring Management IP address for FXOS:-

To Verify FXOS IP address 

firepower-2110# scope fabric-interconnect a

firepower-2110 /fabric-interconnect # show detail

Fire Power:

    ID: A

    Product Name: Cisco FPR 2110

    PID: FPR-2110

    VID: V01

    Vendor: Cisco Systems, Inc.

    Serial (SN): JMX202820M4

    OOB IP Addr: 192.168.45.45

    OOB Netmask: 255.255.255.0

    OOB Gateway: 192.168.45.1

    OOB Gateway Use DataPort: No

    OOB Boot Proto: Static

    OOB IPv6 Address: ::

    Prefix: 64

    OOB IPv6 Gateway: ::

    OOB IPv6 Gateway Use DataPort: No

    IPv6 Boot Proto: Static

    DHCPD Admin State: DHCP Server Enabled

   

Changing FXOS management IP address: 

firepower# scope fabric-interconnect a

firepower /fabric-interconnect #  set out-of-band static ip 10.106.143.40 netmask 255.255.255.0 gw 10.106.143.1

firepower /fabric-interconnect* # commit-buffer   (Commit buffer to save config)

 

some time you may get below error: 

Error: Update failed: [Management ipv4 address (IP 10.106.143.40 / net mask 255.255.255.0 ) is not in the same network of current DHCP server IP range 192.168.45.5 - 192.168.45.10. Either disable DHCP server first or config with a different ipv4 address.] "

If you get above error, you need to either disable DHCP or change DHCP range in the same subnet as new Management IP address. 

 

Disabling DHCP Server: 

firepower# scope system

firepower /system* # scope services

firepower /system* # disable dhcp-server

or 

firepower /system* # enable dhcp-server 10.106.143.10 10.106.143.20     (To enable DHCP server on FXOS) 

 

Setting Time/Timezone/NTP: 

Configuring NTP or timezone on ASA running on FP2100 is restricted. Clock, timezone,ntp need to be configured on FXOS, which will be sync to ASA. 

firepower# scope system

firepower /system* # scope services

firepower /system/services *# set clock oct 6 2017 17 12 00

firepower /system/services *# set timezone

firepower /system/services *# create ntp-server <ntp-server host/ip address>

firepower /system/services *# commit-buffer   (Commit buffer to save config)

 

DNS Configuration: 

firepower# scope system

firepower /system* # scope services

firepower /system/services *# create dns 8.8.8.8 0

firepower /system/services *# create dns 203.10.5.1 1

firepower /system/services *# commit-buffer   (Commit buffer to save config)

 

Discard Changes: 

"discard-buffer" can be used to discard changes before committing any changes. 

229 Views
0 Comments

Cisco Email and Web Security training courses are designed to provide you with up-to-date knowledge and skills to successfully evaluate, integrate, deploy, and support Cisco Email and Web Security products and solutions.

 

Instructor-Led Training

Securing Email with Cisco Email Security Appliance (SESA) is a three-day instructor-led training course that provides students with information and practical hands-on reinforcement activities to prepare them to configure, administer, monitor, and conduct basic troubleshooting tasks on the Cisco Email Security Appliance.

Securing the Web with Cisco Web Security Appliance (SWSA) Is a comprehensive, two-day course for customers & partners that provides students with hands-on labs, demonstrations and presentations focusing on installing, configuring, operating, troubleshooting, and maintaining the Cisco Web Security Appliance.

 

Cisco Email and Web Security Exams

Cisco Email and Web Security exams are available through Pearson VUE testing centers worldwide.
 
Exam(s) Exam Description
700-280 ESFE Email Security for Field Engineers
700-281 WSFE Web Security for Field Engineers
646-580 ASAM Advanced Security for Account Managers
642-584 SSSE Security Solutions for System Engineers

 

Channel Partner Training

Cisco Email and Web Security Training is available for Channel Partners. Please consult the Global Learning Locator to locate a class near you.

Log in to Cisco Partner Central for information on the Partner Program.

 

This information was provided from the following:

http://www.cisco.com/c/en/us/training-events/training-certifications/supplemental-training/email-and-web-security.html

1257 Views
0 Comments

July 19, 2017

Cisco has rolled out a new Data Loss Prevention (DLP) solution starting with AsyncOS 11.0 for  on premise Cisco Email Security Appliances (ESA), and Cisco's Cloud Email Security (CES). The Cisco DLP solution replaces the existing RSA DLP solution available on AsyncOS 10.0.x and earlier releases. Cisco's DLP solution allows seamless migration of all the existing DLP policies created in RSA DLP to the new Cisco DLP engine. After the upgrade, you can view or modify the migrated DLP policies from the Mail Policies > DLP Policy Manager page in the ESA's web interface. For more information, see the “Data Loss Prevention” chapter in the User Guide for AsyncOS 11.0 for Cisco Email Security Appliances.

RSA had previously announced the End of Life (EOL) for RSA Data Loss Prevention Suite. The last date of support from RSA for DLP is December 31st, 2017. Beyond December 31st, 2017, Cisco will provide Cisco customers with technical support assistance on ESA for anything relating to RSA DLP solution. However, Cisco will not support feature upgrades or bug fixes with respect to RSA's DLP solution on ESAs running 10.0.x and earlier releases.

Note: There is no support for RSA Enterprise Manager Integration in Async0S 11.0 and later. If you have DLP policies created in RSA Enterprise Manager, you must recreate those policies on your appliance after the upgrade.

In order to continue supportability for DLP on Cisco ESA, customers on AsyncOS 10.0.x or earlier releases are requested to migrate to the AsyncOS 11.0 release at your earliest opportunity.

Please contact TAC for additional information.

52 Views
0 Comments

Router Security Audit Control No 1

Control -

Control Objective -

Audit Test -

Evidence -

Reference to ISO/IEC 27001:2013 -

Risks -

Risk Mitigation -

Special Notes -

1393 Views
0 Comments

AnyConnect Apple iOS - Transition to Apple's latest VPN framework (NetworkExtension)

On approximately June 14, 2017, we will begin the public transition away from Apple's deprecated iOS VPN framework (VPN Plugin) which is what is currently used by AnyConnect to Apple's current VPN framework (NetworkExtension). The new framework will allow for more reliable VPN connectivity and also allows for us to finally officially support Per App VPN connectivity, not just for TCP applications, but UDP applications as well. Per App support requires EMM configuration.

 

Transition timeline and process -


Approximately June 14, 2017 An additional (new) AnyConnect application will appear in the App Store. This new application will be supported on iOS 10.x and later. We recommend the latest version of iOS 10.x or later is always used as Apple has provided bug fixes to improve the reliability of this newer framework.

App Store willing, the old application will be renamed to Cisco Legacy AnyConnect and will be rebranded with legacy branding in this same timeframe.

 

Phase out of legacy AnyConnect -

 

The legacy application (existing older AnyConnect) will only receive critical bug fixes going forward and will be phased out over an extended period of time. More details on the phase out timing will be announced at a later date.

 

Transition process -

 

Unfortunately there is no ability to automatically transition users from the old OS framework to the new framework. Users will need to download the newer AnyConnect application or have EMM push out the new AnyConnect application. The new application will need to be re-provisioned, whether manually or via EMM. This includes pushing down configuration and certificates (if applicable). To avoid confusion or conflicts, the old application should be removed from the endpoint.

 

EMM configuration -

 

EMM vendors must support VPNType (VPN), VPNSubType (com.cisco.anyconnect) and ProviderType (packet-tunnel). For integration with ISE, they must be able to pass the UniqueIdentifier to AnyConnect since AnyConnect no longer has this access directly in the new framework. Please consult with your EMM vendor for how to set this up, some may require this to be set up as a "custom" VPN type and others may not have support available at release time.

 

Questions?

Please direct any questions to ac-mobile-feedback@cisco.com.

64 Views
0 Comments

hey guys,

I hope everyone doing alright today.

Today i will be showing you how to fix romman issue on ASA5525. Im going to link my
youtube video on how to fix the romman issue. Dont forget to like my video and
subscribe to my channel for more videos>

youtube link: https://www.youtube.com/watch?v=ln3KtEv_pPI

How to fix romman issue on ASA5525

Here is step by step on how to fix the romman issue on ASA5525:

step1: if your firewall ASA5525 boot to the romman on the first boot that mean the
firewall you running is running through issue.


step2: as you see in the video the amaber light led on the alarm not because the firewall
was on romman, but the unit was running through hardware issue. It can be the
powersupply, fan, memory ......etc.


step3: on the romman type in "boot flash" or just "boot" to boot the software that
ASA5525 running.

step4: after you were able to boot to the ASA type in "enable" and press "enter" twice to
enter to the ASA console as defult.


step5: check your show version by typing in this command "show Ver" or "show
version" to see if the config register was configured to the right register or not. The
config resgister should be registered under this "0x1".


step6:If the config register showing something else other the "0x1" you need to change
it to "0x1".
step7: save the configuration by typing in this command "wr" or "write" then reload .


If you follow all the steps above then you shouldnt have any issue to boot the ASA5525
normally .

If you saw this video was helpfull to you please like, share, comment and subscribe to
my channel.

i hope you guys have a wonderful day .

kind and regards

Sam

47 Views
0 Comments

Integración para poder autenticar AAA vía Radius para los equipos Cisco Prime Network Registrar (PNR) y su modulo Prime Cable Provisioning (PCP) en ACS 5.x. Read more...

37 Views
0 Comments

This is a living document and will be updated as and when required.

Q1: Why do we keep the backup?

A1: We keep the backup because we need to keep the record of any changes done in the router configuration file. This is because due to any untoward incident if the hardware or the software or both get damaged then the administrator can easily retrieve the configuration. Otherwise the person would require to reconstruct a complex router configuration file from memory (memory type). When you have the backup of the last working configuration file, you can usually get a router working again within minutes of fixing any (hardware/software or both) problems.