Archive

Archive for the ‘ASA’ Category

October 25th, 2009

Problem:

While establishing a VPN to PIX/ASA, IKE Phase I fails.


Solution:

Try to change from SHA to MD5, and make sure to modify the crypto map accordingly or you will get the following error: “Invalid SPI size (PayloadNotify:116)”

ASA, VPN, troubleshooting , , ,

Read-only user for ASDM using ACS

October 22nd, 2009

Here is how to configure users with different privilege levels for use in ASDM for ASA or PIX considering that AAA is configured to access the box.

On ASA:
- Make ASA take privilege levels into consideration (they are ignored by default, and if no AAA is configured, next step can be skipped):
configuration –> Device Management –> Users/AAA –> AAA Access –> Authorization
enable “enable authorization for ASA commmand access” and set it to “LOCAL”

- to make ASA get the privilege level from ACS
enable “Perform authorization for exec shell access” and set it to “Remote server”

On ACS:
(for TACACS+)
go to Group Setup –> Edit
under “TACACS+” Settings:
- check “Shell (exec)”
- check “Privilege level”
- set “Privilege level” to 5 (or whatever level you want, 5 for read-only, 3 for monitor only)
- create a user and assign to group
if a user doesn’t have the ACS settings, he cant access at all, so this should be configured for all users, even the ones with full access (level 15).


ASA, howto, security , , , , , , ,

URL Filtering on PIX/ASA

May 25th, 2009

192.168.1.10 can only access battikh.com, everyone else can access anything.

regex battikh battikh\.com

access-list allow_battikh_acl extended permit tcp host 192.168.1.10 any eq 80
access-list allow_battikh_acl extended deny tcp any any eq 80

class-map type inspect http match-all allow-url-class
match not request header host regex battikh
class-map allow-user-class
match access-list allow_battikh_acl

policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy

service-policy allow-user-url-policy interface inside

ASA, howto, security , , , , ,