ASA5580 Netflowに対応
ASA5580では、Netflow v9に対応する模様。
| 固定リンク | コメント (0) | トラックバック (0)
Version 8.0(3) リリース
8.0(3)のNew Featuresは以下の通り。
New Features
This section lists the new features for Version 8.0(3). All new features are supported in ASDM Version 6.0(3).
AnyConnect RSA SoftID API Integration
Provides support for AnyConnect VPN clients to communicate directly with RSA SoftID for obtaining user tokencodes. It also provides the ability to specify SoftID message support for a connection profile (tunnel group), and the ability to configure SDI messages on the security appliance that match SDI messages received through a RADIUS proxy. This feature ensures the prompts displayed to the remote client user are appropriate for the action required during authentication and the AnyConnect client responds successfully to authentication challenges.
IP Address Reuse Delay
Delays the reuse of an IP address after it has been returned to the IP address pool. Increasing the delay prevents problems the security appliance may experience when an IP address is returned to the pool and reassigned quickly.
WAAS and ASA Interoperability
The [no] inspect waas command is added to enable WAAS inspection in the policy-map class configuration mode. This CLI is integrated into Modular Policy Framework for maximum flexibility in configuring the feature. The [no] inspect waas command can be configured under a default inspection class and under a custom class-map. This inspection service is not enabled by default.
The keyword option waas is added to the show service-policy inspect command to display WAAS statistics.
show service-policy inspect waas
A new system log message is generated when WAAS optimization is detected on a connection. All L7 inspection services including IPS are bypassed on WAAS optimized connections.
System Log Number and Format:
%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.
A new connection flag "W" is added in the WAAS connection. The show conn detail command is updated to reflect the new flag.
| 固定リンク | コメント (1) | トラックバック (0)
Syslog ID 30201[3-6]
302014で表示される転送量(Bytes)は、送受信ともに含む転送量を表しているよう。(マニュアル上には転送量という表記しかない。)302016についても、同じものと推測される。
302013は、inboundとoutboundの2通りの結果が有る。それぞれログを読むとき、inboundの場合、左から、送信元の情報、宛て先の情報と読み、outboundの場合、宛て先の情報、送信元の情報と読むと分かりやすい。302015についても同様。
inbound ... for (送信元情報) to (宛て先情報)
outbound ... for (宛て先情報) to (送信元情報)
だれが、いつ、どこに、どのポート番号を使うアプリケーションを使っていたかを検索したい場合、302013と302015を探す。つぎにBuilt inboundか、Built outboundかを確認する。inboundであれば、for の後には、送信元の情報、toの後には、宛て先の情報が表示される。この場合、toの後の情報を読めば宛て先の特定と(多くの場合、)アプリケーションを推定が行える。
outboundであれば、送信元の情報と宛て先の情報が逆で、forの後に宛て先の情報が表示される。
| 固定リンク | コメント (0) | トラックバック (0)
ASA 5505 スイッチポート スパニングツリーに対応せず。注意が必要。
ASA 5505のスイッチポートはスパニングツリーに対応しておらず、LANケーブル結線時に誤接続などでループ状態にならないように注意が必要。場合によっては操作不能になるため、未使用のポートをシャットダウンするなどの工夫が必要な場合も。
| 固定リンク | コメント (0) | トラックバック (0)
2007年8月30日のCisco社 プレスリリース Cisco and Trend Micro Extend Relationship
現時点で、この件は、国内において、取り上げられていない模様。
Cisco and Trend Micro Extend Relationship
Companies sign definitive agreement to broaden security collaboration
SAN JOSE, Calif., August 30, 2007 - Cisco® Systems today reaffirm their relationship with Trend Micro Incorporated by announcing the signing of an agreement to extend Trend Micro security services incorporated into Cisco's network infrastructure products.
The agreement advances the two companies' relationship, which started in 2004 when they began plans to incorporate Trend Micro's content security services into Cisco's Adaptive Security Appliance family. In addition to the Cisco ASA collaboration, Trend Micro became one of Cisco's first Network Admission Control partners. Under this agreement, the companies now will work closely on integrating additional content security services into Cisco's routing offerings.
In addition, as part of the two companies' ongoing collaboration, Trend Micro has delivered Trend Micro's Damage Cleanup Services for Cisco's Mitigation, Analysis and Response System to further the vision of Cisco's Self-Defending Network. This services and enhances collaborative protection and incident response across enterprise networks.
"Our work with Trend Micro will continue to support our Self-Defending Network vision and enhances our ability to provide end-to-end security that combines network, application, and content protection," said Tom Russell, senior director of product management for Cisco's Security Technology Group. "We are happy to continue collaborating with Trend Micro."
"Trend Micro is very pleased with the momentum we are building with Cisco Systems. Through the strengthening of our relationship with Cisco, we are continuing to further the delivery of security within the network infrastructure," said Punit Minocha, vice president of business development for Trend Micro. "Our shared commitment to provide the most comprehensive and flexible network security solutions enables us to help protect customers against new classes of threats that are increasingly unpredictable and complex."
CS-MARS, Damage Cleanup Services Pricing and Availability
Trend Micro Damage Cleanup Services for Cisco Security MARS is available directly from Trend Micro starting at $2,000 per year in North America, renewed annually. Damage Cleanup Services will be priced according to the CS-MARS appliance purchased by the customer.
About Cisco
Cisco, (NASDAQ: CSCO), is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.
# # #
Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. This document is Cisco Public Information.
| 固定リンク | コメント (0) | トラックバック (0)
ASDM 6.0 Demo mode その3
ASDM Homeから、Firewall Dashboardをクリックする。
Firewall Dashboardが表示される。
Firewall Dashboard左側。
コネクション数とNAT変換数のグラフ、
アクセスリストによって拒否されたパケット数と
アプリケーション精査(インスペクション)によって
拒否されたパケット数のグラフ、スキャン攻撃と
SYN攻撃(ポートスキャンとDoS攻撃)のグラフが
リアルタイムで表示される。
Firewall Dashboard右側。
ヒットしたアクセスリスト(ルール)の上位10項目、
使用頻度の高いサービス、送信元、あて先の上位10項目が
リアルタイムでグラフ表示される。どちらのグラフも
"Display"をプルダウンし、Table、Bar、Pie、から選択し、
表形式、棒グラフ、円グラフで表示できる。
| 固定リンク | コメント (0) | トラックバック (0)
ASDM 6.0 Demo mode その2
ASDM プルダウンメニューViewより、
Device Listのチェックを外す。
Device Listが消え、Device Dashboardが表示される。
Device DashBoard 左側。
その装置のホスト名、起動時間、バージョン、動作モード、
コンテキストモード(仮想ファイアウォール)、Flashのサイズ、
DRAMのサイズ、現在のVPN接続数、CPU、メモリーの使用率が
リアルタイムで表示される。
Device Dashboard右側。
インターフェースの名前、IPアドレス、マスク、
LineプロトコルのUp/Down、LinkのUp/Down、
使用帯域、秒単位のTCP、UDPコネクションの
使用状況、'outside'インターフェースの帯域の
使用状況がリアルタイムで表示される。
Device Dashboardの下側。
syslogがリアルタイムで表示される。
| 固定リンク | コメント (0) | トラックバック (0)
ASA V8.0 リリース
メモリー は256MB以上必要。
ASDもV6となり、UIも変更される。
以前は、TCP、UDPなどプロトコル単位でサービスグループを
作成する必要があったが、このバージョンからはその制約から解放される。
TCP、UDP、ICMPなど複数のIPプロトコルが組み合わせが可能。
また、DoS、スキャニングなどの攻撃検知が可能になった模様。
ほかにはEIGRPをサポート。
多くはSSL VPNに関する機能が強化。
訂正 PIXもサポート。
| 固定リンク | コメント (0) | トラックバック (0)
SSL VPN, What's New in ASA 8.0
Version8に関しては、プレゼンテーション記事は追加されているが、未だリリースされず。
プレゼンテーション一覧
http://www.cisco.com/en/US/products/ps6120/prod_presentation_list.html
Version8に関するプレゼンテーション
http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1161/cdccont_0900aecd805c768e.pdf
| 固定リンク | コメント (0) | トラックバック (0)
【ニュース記事】 Japan.internet.com Cisco、VPN 背景技術の透過性向上を目指す(ASA v7.3)
Cisco、VPN 背景技術の透過性向上を目指す
Cisco Systems (NASDAQ:CSCO) が VPN 市場に進出して、すでに10年以上になる。当初同社は『IPSec VPN』に注力していたが、近年は『SSL VPN』を推進している。VPN は成熟した技術と見なされているが、革新の余地はまだある。
現在 Cisco は、VPN の大規模配備と遠隔アクセスの面で革新を進めている最中だ。その1つが、SSL VPN と IPSec VPN の溝を埋める技術で、2007年上半期中に市場投入の予定となっている。
Cisco の製品マーケティング担当ディレクタ Bob Berlin 氏によると、同社がこれまでに出荷した IPSec VPN の数は数千万にのぼり、おそらく競合他社の実績を合わせたよりも多いという。
IPSec VPN は、SSL VPN よりも配備コストが安いものの、配備と管理がより複雑になる場合が多い。Cisco が2007年にリリース予定の次期 VPN ソフトウェア (バージョン『7.3』) では、IPSec VPN か SSL VPN かに関係なくクライアント側での透過性が高まる。
Berlin 氏は取材に対し、透過性について次のように述べている。「エンドユーザーは、IPSec VPN と SSL VPN のどちらに接続しているかを気にしないし、知ろうともしない。ユーザーの視点から見れば、それが最終的なゴールだ。どこかに接続しようとしているだけなのに、(その背景技術について) どうして気にする必要があるだろう」
なお同氏は、「IT 管理の視点から見れば、サービスレベルや安全な接続の性質が IPSec VPN と SSL VPN で異なるため、(背景技術の違いは) 大いに気になる点だ」と語った。
| 固定リンク | コメント (0) | トラックバック (0)
CCO JapanにCisco VPN Clientデータシートが追加。
CCO JapanにCisco VPN Clientデータシートが追加された。(2006年11月30日)
Cisco VPN Client データシート
表 2 リモート アクセス機能の比較表
| Cisco VPN 3000 | Cisco ASA 5500 | Cisco PIX セキュリティ アプライアンス | Cisco IOS | |
|---|---|---|---|---|
| 機能の比較に使用したバージョン | 4.7 | 7.0 | 7.0 | 12.3(8)T または 12.2(18)SX |
| すべての Cisco Easy VPN Client の OS サポート | ○ | ○ | ○ | ○ |
| Apani(Mac OS 8/9)VPN Client の互換性テスト | ○ | × | × | × |
| 基本的なクライアント機能 | ||||
| DES/3DES、MD5/SHA | ○ | ○ | ○ | ○ |
| AES(128、256 ビット) | ○ | ○ | ○ | ○ |
| 事前共有秘密鍵(グループ) | ○ | ○ | ○ | ○ |
| DNS、WINS、デフォルト ドメイン、IP | ○ | ○ | ○ | ○ |
| スプリット DNS のサポート | ○ | ○ | ○ | ○ |
| DDNS/DHCP(コンピュータ名登録) | ○ | ○ | ○ | × |
| 接続の自動起動 | ○ | ○ | ○ | ○ |
| 認証 | ||||
| RADIUS | ○ | ○ | ○ | ○ |
| RADIUS(State + Reply トークンあり) | ○ | ○ | ○ | ○ |
| RADIUS(NT パスワードの有効期限あり) | ○ | ○ | ○ | ○ |
| ネイティブ RSA SecurID(SDI) | ○ | ○ | ○ | × |
| ネイティブ Kerberos/Active Directory | ○ | ○ | ○ | × |
| ネイティブ NT ドメイン | ○ | ○ | ○ | × |
| 証明書/Entelligence/スマートカード | ○ | ○ | ○ | ○ |
| ピア検出(DPD) | ○ | ○ | ○ | ○ |
| バックアップ サーバ リスト(クライアント) | ○ | ○ | ○ | ○ |
| バックアップ サーバ リスト(集中管理) | ○ | ○ | ○ | ○ |
| キー再生成 | ○ | ○ | ○ | ○ |
| アイドル タイムアウトのサポート | ○ | ○ | ○ | ○ |
| 最大接続制限 | ○ | ○ | ○ | ○ |
| ユーザ IP フィルタ | ○(動的 ACL を含む) | ○(動的 ACL を含む) | ○(動的 ACL を含む) | ○(ACL を使用) |
| RADIUS グループ ロック | ○ | ○ | ○ | ○ |
| アドレス割り当て | ||||
| 内部アドレス プール | ○ | ○ | ○ | ○ |
| DHCP | ○ | ○ | ○ | × |
| RADIUS | ○ | ○ | ○ | ○ |
| 拡張機能 | ||||
| データ圧縮 | ○ | ○ | ○ | ○ |
| コンセントレータ バナー メッセージ | ○ | ○ | ○ | × |
| ソフトウェアの自動アップデート | ○(集中管理) | ○(集中管理) | ○ | ○ |
| ソフトウェア アップデートの通知 | ○ | ○ | ○ | × |
| 保存パスワード管理 | ○ | ○ | ○ | ○ |
| トンネル デフォルト ゲートウェイ | ○ | ○ | ○ | ○ |
| クラスタリング/ロード バランシング | ○ | ○ | × | × |
| IPSec から MPLS、802.1q または PVC へのマッピング | × | × | × | ○ |
| トンネリング方式 | ||||
| 全トンネリング/スプリット トンネリング | ○ | ○ | ○ | ○ |
| ローカル LAN アクセス許可 | ○ | ○ | ○ | ○ |
| Ratified IPSec/UDP NAT 透過性(自動検出およびフラグメンテーション防止機能を含む) | ○ | ○ | ○ | ○ |
| 従来の NAT/PAT 透過性(UDP) | ○ | ○ | ○ | × |
| TCP ベース IPSec(TCP) | ○ | ○ | ○ | × |
| クライアント パーソナル ファイアウォールのサポート | ||||
| ユーザ管理(常時オン) | ○ | ○ | ○ | ○ |
| Cisco Security Agent/Sygate/Zone Alarm の適用(AYT 機能) | ○ | ○ | ○ | × |
| Centralized Protection Policy(CPP) | ○ | ○ | ○ | × |
| Zone Labs の整合性 | ○ | × | × | × |
| 固定リンク | コメント (0) | トラックバック (0)
PIX syslogの解析ツール
サードパーティ製のツールには以下のようなものがある。
Sawmill = http://www.sawmill.net/
fwlogsum Firewall Log Summariser http://www.ginini.com/software/fwlogsum/
fwlogwatch = http://fwlogwatch.inside-security.de/
ManageEngine Firewall Analyzer = http://manageengine.adventnet.com/products/firewall/index.html
| 固定リンク | コメント (0) | トラックバック (0)
PIX/ASA syslog ID 302014、302016 から2つのホスト間のTCP接続、UDP接続のデータ転送量を確認する。
PIX もしくはASAにおいて、syslog ID 302014、302016を観察することで、2つのホスト間のTCP接続、UDP接続が削除されたことが確認できる。この際、メッセージの値durationから接続時間を、bytesから接続中のデータ転送量を確認することができる。302014においては、TCP接続の終了原因も確認することができる。
syslog ID 302014、302016のsyslog Levelは初期値でinformationalである。
syslog取得のLevelをwarning以上とすると、syslog ID 106023などdeny logを中心に観察できるのに対し、informational以上とすることで、TCP接続が開始された際に出力される302013、TCP接続が終了された際に出力される302014、同様に、UDP接続が開始された際に出力される302015、UDP接続が終了された際に出力される302016が観察できる。
syslog取得のレベルをwarningからinformationalに変更することで、出力されるsyslogの数が増えるので変更時には注意が必要である。
| 固定リンク | コメント (0) | トラックバック (0)
Open Caveats - Version 7.2(2)とResolved Caveats - Version 7.2(2)
リリースノートより、Open Caveats - Version 7.2(2)とResolved Caveats - Version 7.2(2)を抜粋。
| Open Caveats - Version 7.2(2) | ||
| Table 2 Open Caveats DDTS Number | Software Version 7.2(2) | |
| Corrected | Caveat | |
| CSCsd50888 | No | L2TP: connections fail intermittently -> error 678: There was no answer |
| CSCse88291 | No | ASA crashes with WEBVPN user login when memory is running low. |
| CSCse92565 | No | Traceback in Thread Name: tmatch compile thread after clear config all |
| CSCsf04123 | No | Packet drops through VPN due to No route to VPN_peer_ip_address |
| CSCsf05298 | No | Citrix not supported with CSC module |
| CSCsf13404 | No | PIX cosmetic high memory use in context show memory |
| CSCsf25418 | No | Traceback in Thread Name: tmatch compile after assert |
| CSCsf27202 | No | AAA Radius NAS-Port-Type not sent in authentication request |
| CSCsg03102 | No | Minor correction to vpn-addr-assign command reference documentation |
| CSCsg20953 | No | WebVPN sessions created in the Secure Desktop don't expire |
| CSCsg26668 | No | Undefined CSCO functions in JavaScript-generated HTML |
| CSCsg34853 | No | Traceback with Thread Name: Dispatch Unit |
| CSCsg38186 | No | Traceback in Thread Name: Dispatch Unit |
| CSCsg43591 | No | SCP connection to PIX fails |
| CSCsg46962 | No | WebVPN some functions do not work in javascript |
| CSCsg47023 | No | L2TP Connections with Certificates to ASA Fail to Connect |
| CSCsg47241 | No | Traceback when parsing LDAP config |
| CSCsg48442 | No | Ping through ASA fails when using interface PAT on PPPoE interface |
| CSCsg53120 | No | ASA WebVPN Time-out on Database Requests |
| CSCsg56876 | No | ASA may crash after applying http or IM deep inspection |
| CSCsg60095 | No | VPN traffic permitted by vpn-filter is denied |
| CSCsg61719 | No | SNMP: Coldstart Trap is not sent |
| CSCsg62488 | No | Traceback in Thread Name: Unicorn Proxy Thread |
| CSCsg62878 | No | ocsp signer crl checking with crl none is not falling back to none |
| CSCsg63145 | No | Traceback with Thread Name: PIX Garbage Collector |
| CSCsg64427 | No | Compression: Can't turn off http-comp |
| CSCsg64450 | No | FO: http auth message should be supressed on standby console |
| CSCsg64948 | No | 1550 blocks exhausted during radius authentication stress test |
| CSCsg65434 | No | Multiple ipsec peers : PIX/ASA stops processing the IPSEC peers list |
| CSCsg66126 | No | Large H.323 Registrations Fail through PIX |
| CSCsg67443 | No | ASA Fails Recursive Route Lookup |
| CSCsg67961 | No | L2TP: IKE rekeying prior to IPSec rekey terminates MAC L2TP |
| CSCsg68141 | No | Show run router causes traceback in thread name: ci/console |
| CSCsg69275 | No | 1017-88 byte blocks leaked: _tmatch_summary_func+2877 after vpn sys test |
| CSCsg69281 | No | 3000 - 576 byte blocks leaked: _kernel_delete_sa+39 after vpn sys stress |
| CSCsg69408 | No | Need warning when using time based ACLs with policy NAT/PAT |
| CSCsg69448 | No | Need to update 7.x conf guides, time based ACLs not supported w/nat-pat |
| CSCsg69469 | No | Incorrect user privileges when logging in with ASDM 5.2.1.54 |
| CSCsg69998 | No | tcp intercept not working when the inside host is running windows OS. |
| CSCsg70012 | No | no sysopt noproxyarp c1in failed to remove noproxyarp for interface c1in |
| CSCsg70698 | No | Session timer is not reset during WebVPN ActiveX and Java tunneling |
| CSCsg71369 | No | P1 SA stuck in AM_FREE on secondary for ipsec sessions using net ext mod |
| CSCsg71416 | No | encrypt rules added in wrong order - NEM misconfig causes data issues |
| CSCsg71534 | No | 40 P1 sa's got stuck in MM_Wait_Delete on secondary w/vpn system test |
| CSCsg71579 | No | Programming assertion malloc.c:3822 on secondary after failover from pri |
| CSCsg73076 | No | L2TP/IPSEC to ASA with certificates fails over low speed ISDN |
| CSCsg73376 | No | Traceback in Thread Name: ci/console with large config tftp download |
| CSCsg75094 | No | LDAP: ASA caanot authenticate to Active Directory using MD5 |
| CSCsg75996 | No | Radius authentication with downloadable acls causes crash |
| CSCsg76777 | No | 7.2 transparent / change of behavior : ASA does not retain the src mac |
| CSCsg77097 | No | WebVPN OWA 2003 email.cisco.com inbox fails to load intermittent |
| CSCsg77099 | No | WebVPN Java archives with uncompressed entries fail through rewriter |
| CSCsg77390 | No | AAA: port-to-port static for port 80 and aaa http listener on same ifc |
| CSCsg77841 | No | Cfg Guide: remove flash size match from failover hw criteria |
| CSCsg78524 | No | With WebVPN login we type it once incorrectly and the ASA tries 3 times |
| Resolved Caveats - Version 7.2(2) | ||
| Table 3 Resolved Caveats DDTS Number | Software Version 7.2(2) | |
| Corrected | Caveat | |
| CSCei33965 | Yes | MPC embryonic timoeout value overwrite global conn timeout |
| CSCek62768 | Yes | crash in Unicorn Proxy Thread with large WebVPN session count in build30 |
| CSCsb54431 | Yes | clear in unpriviledged mode should be removed if not applicable. |
| CSCsb63230 | Yes | Need a command to perform SSM password recovery from the ASA CLI |
| CSCsc01694 | Yes | CRC errors on SSM-4GE Electrical ports on initial bringup |
| CSCsc37965 | Yes | IP-directed broadcasts no longer allowed through device. |
| CSCsc89262 | Yes | Syslog 722007 (WEBVPN_SVC_MSG_EMERG) severity needs to be changed |
| CSCsd13314 | Yes | show service policy flow' command shows incorrect flow match |
| CSCsd40989 | Yes | L2TP: Populate client type/version within session database |
| CSCsd45605 | Yes | 2 routes to same n/w w same metric different ifx should not be allowed |
| CSCsd52578 | Yes | Traceback in thread: snp_timer_thread |
| CSCsd54495 | Yes | Traceback eip _strdup(0xebacac)+0x78 with large customer configuration |
| CSCsd57264 | Yes | MPF: type syntax in help policy-map is missing a ] |
| CSCsd58688 | Yes | SVC connections are not exempt from aaa authentication rules like IPSec |
| CSCsd59295 | Yes | WCCP static bypass not working with vlan interfaces |
| CSCsd59936 | Yes | Registering to the RP for PIM fails if fragmented in more then 12 packs |
| CSCsd60448 | Yes | Proxy-bypass with automatic choice of target server |
| CSCsd64749 | Yes | Failover: automatic removal of SSL trustpoint not replicated to stdby |
| CSCsd67093 | Yes | PPPoE:Vpdn group for PPPoE shouldn't be configurable in Transparent mode |
| CSCsd67160 | Yes | PPPoE:ip address pppoe cmd shouldn't be configurable in multi mode |
| CSCsd70581 | Yes | Crash output to console has incomplete configuration |
| CSCsd71387 | Yes | EzVPN: Tback IKE Daemon (Old pc 0x00507425 ebp 0x0333c6d8) |
| CSCsd74328 | Yes | Traceback when changing sec level on an ifc and failover cfg with NAT |
| CSCsd74551 | Yes | Add NP drop reason documentation for WCCP drops |
| CSCsd81262 | Yes | CA cert with spaces could fail to install |
| CSCsd81294 | Yes | crypto ca import' of SSL cert may traceback in Thread Name: accept/http |
| CSCsd82307 | Yes | FO: CLI position can get out of sync causing cmd replication failures |
| CSCsd82575 | Yes | unexpected IGMP joins sent when configuring multicast routing |
| CSCsd84011 | Yes | REGEX: ^ (match from beginning of text) does not work in some cases |
| CSCsd88471 | Yes | VPNLB SVC uses virtual cluster certificate after redirecting to a master |
| CSCsd91587 | Yes | functioning email proxy session generates syslog message error |
| CSCsd93380 | Yes | Packets for VPN-l2l peer get dropped instead of encrypted |
| CSCsd94372 | Yes | dhcp proxy: no RELEASE sent after failover and disconnect of vpn client |
| CSCse00996 | Yes | tcp normalizer drop to-the-box traffic not conforming to RFC793 (MSS) |
| CSCse01293 | Yes | Traceback in Thread Name: arp_forward_thread |
| CSCse02354 | Yes | Traceback in Thread Name: Dispatch Unit |
| CSCse03176 | Yes | Problem of group-name used in 'sasl-mechanism kerberos group-name' |
| CSCse05819 | Yes | PIX: 33MHz GIG cards show speed/duplex unknown if nonegotiate configured |
| CSCse07242 | Yes | Traceback in pix_flash_config_thread |
| CSCse08726 | Yes | LDAP group-based policy Enforcement shouldn't require Cisco schema |
| CSCse08746 | Yes | ASA send Radius attribute 31 source IP address as 0.0.0.0 |
| CSCse09458 | Yes | RadiusSDI feature of VPN Client fails with blank XAUTH text |
| CSCse09503 | Yes | Syslog 304001 not generated when strict-http action allow log configured |
| CSCse10096 | Yes | i2c_write_byte_w_suspend() error after rebooting ASA5505 |
| CSCse10714 | Yes | Shun behavior change in 7.x |
| CSCse12021 | Yes | Error msg change when attempt auth-srvr-group None in ipsec tunn-grp |
| CSCse13544 | Yes | Increase in memory usage after enabling-disabling webvpn |
| CSCse14296 | Yes | Trustpoint not found if ASA not enrolled with the trustpoint |
| CSCse15854 | Yes | clear config webvpn only partially clean-up proxy-bypass... |
| CSCse15977 | Yes | Traceback when two admin sessions are working on the same capture |
| CSCse17176 | Yes | SUA policy is unspecified -WEB login requires user to authenticate twice |
| CSCse17638 | Yes | IM: Misc CLI issues |
| CSCse17660 | Yes | Incorrect LDAP debug error when incorrect RDN configured |
| CSCse18005 | Yes | PIX/ASA originate-only VPN fails to create dynamic ACL |
| CSCse19020 | Yes | PPTP Pass-through not working due to inspection |
| CSCse20501 | Yes | Passive FTP to Multinet server fails |
| CSCse20538 | Yes | IKE Syslogs 713041 713042 should specify interface name |
| CSCse21451 | Yes | Memory leak in VPN fover module during failover config syncing |
| CSCse22330 | Yes | Traceback in Thread Name: Dispatch Unit |
| CSCse22332 | Yes | Failed to deploy config when first line in config contain ! character |
| CSCse22659 | Yes | CIFS server names limited to 15 characters |
| CSCse22668 | Yes | CIFS should use DNS lookups for long server names |
| CSCse23164 | Yes | traceback in thread Name: qos_metric_daemon |
| CSCse23165 | Yes | Message sent to client when aaa authorization fails has changed |
| CSCse23554 | Yes | Memory leak within event_smtpmgr:es_SmtpSndMSG function |
| CSCse23751 | Yes | Nested tracebacks may not stop without manual device reload |
| CSCse24432 | Yes | DHCPRelay: Some clients may not get NACKs |
| CSCse24537 | Yes | RIP: [no] access-list defined in distribute-list should display err msg |
| CSCse24921 | Yes | debug icmp does not show request packet being sent |
| CSCse25515 | Yes | FO: dhcpd warnings seen on standby during replication of config |
| CSCse26317 | Yes | inspect radius-acct: show user with IP cuasing err msg w/ multiple pmaps |
| CSCse26469 | Yes | Cannot store more than one vpdn username/password pairs locally |
| CSCse27184 | Yes | basic attribute is not checked in all mode config attributes, may reload |
| CSCse27249 | Yes | FO: interface monitoring not working on most recent created interface |
| CSCse27787 | Yes | AIC SIP: SIP messages might fail state-check knob when record-route on |
| CSCse28430 | Yes | MS AD-LDAP: set default RDN-Naming Attribute to be sAMAccountName |
| CSCse28540 | Yes | LDAP admin bind: support secure SASL-MD5 and SASL-Kerberos methods |
| CSCse29700 | Yes | WebVPN and SVC Sessions being disconnected due to Idle Timeouts 40+Days. |
| CSCse29840 | Yes | AdmissionConfirm received without an AdmissionRequest, ACF dropped |
| CSCse30049 | Yes | SSH conns to the box not removed after a Failover |
| CSCse30061 | Yes | VPN decompress error when decrypting packet with IP compression |
| CSCse30102 | Yes | VPN dynamic ACL can be deleted from the CLI |
| CSCse30616 | Yes | ASA VPN load balancing cannot ping cluster ip address |
| CSCse32309 | Yes | Timeout of secondary flow causes traceback in Thread Name: Checkheaps |
| CSCse33143 | Yes | Dynamic ACL created under with command access-list <name> d ... |
| CSCse33211 | Yes | aaa http authentication doesnt work when interface IP is named |
| CSCse33736 | Yes | DoD Certs:Subject Alternative Name support for VPN Author for IPSec RA |
| CSCse33851 | Yes | H.225 releasecomplete message was dropped by the firewall |
| CSCse33986 | Yes | Small memory leak when tunnel denied due to unavailable Integrity Server |
| CSCse34179 | Yes | MFW-R: traceback in 'clear cfg all' during a performance test. |
| CSCse34477 | Yes | ESMTP: mail-relay param w/o any action accepted, junk chars in sho run |
| CSCse34508 | Yes | ESMTP: help mail-relay display needs changes |
| CSCse34540 | Yes | telnet and http(asdm) conns are not removed after failover |
| CSCse35370 | Yes | AIC SIP: should not allow overwrite inspect sip <pmap> @ default class |
| CSCse35566 | Yes | Traceback with 'Thread Name: Dispatch Unit' on clear xlate |
| CSCse35610 | Yes | traceback in ci/console after editing group-p CLI sitting at more prompt |
| CSCse35636 | Yes | RTP Conformance print SSRC re-initializing message for bad SSRC Packet |
| CSCse36112 | Yes | PIX/ASA never processes huge access-list if it runs short of memory |
| CSCse36519 | Yes | IM: MSN code improvement to reduce the risk of false positives |
| CSCse36691 | Yes | Traceback on 'cl conf all' with delay-free-poisoner enabled |
| CSCse37315 | Yes | AIC DNS - Traceback after removing certain MPF actions with DNS traffic |
| CSCse37733 | Yes | ASA Crash with nat ID as 0 |
| CSCse37787 | Yes | Traceback after becoming Active with VPN connections |
| CSCse38062 | Yes | ICA Client users cannot connect to Citrix through WebVPN |
| CSCse38087 | Yes | Kerberos authentication fails after during stress test in multiple-mode |
| CSCse38659 | Yes | unexpected IGMP rejoins when joins previously cfg'd and mcast re-enabled |
| CSCse39344 | Yes | AD UserAccountControl attrib not enforced if using LDAP Authorization |
| CSCse40332 | Yes | ASA multiple mode rollback of config failed for admin and other VC |
| CSCse40671 | Yes | RTSP w/PAT, PIX set client_ports to NULL |
| CSCse40704 | Yes | Lock IMB boot code |
| CSCse41071 | Yes | ldap-login-password not hidden in config |
| CSCse41663 | Yes | WebVPN using SDI Auth - New PIN mode does not work - IPSec OK |
| CSCse42014 | Yes | Java applets archive mangling fails when the codebase is a full url |
| CSCse42332 | Yes | ASA5505: PORT up/down stat is not reflected in show stat + more |
| CSCse42413 | Yes | Traceback after WebVPN authentication with FreeRadius |
| CSCse43078 | Yes | WebVPN: links at www.microsoft.com <outbind://111/www.microsoft.com> fail to work |
| CSCse43152 | Yes | WebVPN/SVC Radius Passwd-Mngt fails when using domain\username format |
| CSCse43611 | Yes | Flash: Wr mem running-config to flash has some issues |
| CSCse43807 | Yes | webvpn url entry with embedded user:Passwd fails with URl is invalid |
| CSCse44138 | Yes | WebVPN Citrix ICA connection losing connectivity due to client_tx_q_full |
| CSCse44258 | Yes | Modifying vpn-filter acl blocks normal traffic from inside to outside |
| CSCse45308 | Yes | Static nailed rule does not match conn destined for that address |
| CSCse45327 | Yes | VPN stateful failover gets out of sync |
| CSCse45694 | Yes | Standby: Traceback in Thread Name: IKE Daemon with dACL |
| CSCse45948 | Yes | write memory all did not report failure for failing to save config |
| CSCse45971 | Yes | Calling-Station-ID passed to radius as 0.0.0.0 for webvpn with pw mgmt |
| CSCse46220 | Yes | ASA: Poor Performance and Out-of-Order packets with SSM module enabled |
| CSCse46292 | Yes | Traceback in Thread Name: snmp |
| CSCse46874 | Yes | Enhancement: per-interface authorization for IPSec connections |
| CSCse47150 | Yes | Traceback in Thread Name: Dispatch Unit with ESMTP Inspect enabled |
| CSCse47328 | Yes | Fix RM flow drop reason #defines |
| CSCse47400 | Yes | WebVPN: Unable to Authenticate using DoD Certificate |
| CSCse48146 | Yes | AIC SIP: fails to match request method <unknown> in inspect SIP pmap |
| CSCse48193 | Yes | ASA vulnerable to cross-site scripting when using WebVPN |
| CSCse49450 | Yes | AAA - dACL and Cisco-AV-Pair ACLs are only applied to the 1st SVC user |
| CSCse49851 | Yes | 7.2 5510 security plus license should support only 2 contexts by default |
| CSCse50716 | Yes | URL Filtering: Traceback with Thread Name: Dispatch Unit |
| CSCse50772 | Yes | L2TP/IPSec: MS-Clients unable to connect when ASA is behind a NAT device |
| CSCse50782 | Yes | DNS-based LDAP Authentication/Authorization fails |
| CSCse50804 | Yes | OSPF stuck in EXCHANGE in certain assymetric routing scenarios |
| CSCse52050 | Yes | Very large ACL applied to NAT or Crypto may traceback in Checkheaps |
| CSCse53294 | Yes | Configuration begin syslog 111007 shows wrong local ip address with ssh |
| CSCse53987 | Yes | vPif_getVpif: bad vPifNum' errors with cut-through proxy enabled |
| CSCse54543 | Yes | ASA cosmetic high memory use in context show memory |
| CSCse54582 | Yes | AAA: Traceback in Thread Name: Dispatch Unit with Radius auth |
| CSCse54749 | Yes | 210007 LU allocate xlate failed syslog generated by overlapping nat cfg |
| CSCse55066 | Yes | VPN: orignate-only VPN fails after failover |
| CSCse55931 | Yes | 1550 byte block depletion prohibits websense communication |
| CSCse57386 | Yes | 5505: EZVPN Remote: DPD timeout is 5 minutes,should be 90 sec |
| CSCse57889 | Yes | Execute certain fover cmds trigger interface testing |
| CSCse58602 | Yes | SVC fails to establish if Cisco-AV-Pair contain both ip and webvpn ACEs |
| CSCse59113 | Yes | 5510 base license should not limit 4ge card |
| CSCse59498 | Yes | WebVPN: Citrix traffic may cause Traceback in Thread Name: Dispatch Unit |
| CSCse59955 | Yes | Rommon in ASA5505 main card would reset ASA-SSC-10 card. |
| CSCse61225 | Yes | Support daylight savings changes in Energy Policy Act of 2005 |
| CSCse61315 | Yes | SSMIO-4GE SFP interfaces G1/1 - G1/3 don't operate |
| CSCse61696 | Yes | HTTP server enable doesn't take Port number change in Multiple-router mo |
| CSCse62603 | Yes | alias command does not work |
| CSCse62914 | Yes | Standby device Traceback in Thread Name: tcp_thread |
| CSCse63079 | Yes | cpu hog in ssh_init process when connecting via SSH |
| CSCse63596 | Yes | inspect RSH fails when 1st segment contains more than just port |
| CSCse65000 | Yes | WebVPN: Cisco Call Manager is failing thru rewriter |
| CSCse66007 | Yes | AAA commands not working for serial console in multi context mode |
| CSCse66133 | Yes | Traceback in Thread Name: ssh when ACLs are displayed in SSH or ASDM |
| CSCse66235 | Yes | Memory exhausts with logging flash-bufferwrap and high syslog level |
| CSCse66442 | Yes | cut-thru proxy: 'Authentication not required' returned on browse to pix |
| CSCse66490 | Yes | Traceback with 'Thread Name: accept/http' after editing time-based ACLs |
| CSCse67584 | Yes | ldap attr map CLI renders console/session unusable in multi mode |
| CSCse67916 | Yes | Potential memory leakages in webvpn_ica_socks.c with ASA internal errors |
| CSCse68781 | Yes | Traceback in Thread Name: emweb/https when starting to load WebVPN |
| CSCse70163 | Yes | 5505/SSC I2C lock up in Rommon. |
| CSCse70181 | Yes | WebVPN: Traceback when using 'debug webvpn citrix 10' |
| CSCse70993 | Yes | Traceback when applying large ACL to NAT or Crypto Map |
| CSCse71146 | Yes | IPSec RA clients with large dACL may cause Traceback in Thread Name:aaa |
| CSCse73812 | Yes | Traceback in Thread Name: Dispatch Unit when L2L VPN Initiator |
| CSCse74097 | Yes | Mac-exempt: mac spoofing does not generate the expected syslog |
| CSCse74391 | Yes | WebVPN not using custom text color for some dialogs |
| CSCse74778 | Yes | Traceback in Thread Name: IP Thread with PPPoE enabled |
| CSCse74838 | Yes | WebVPN: DSF Referral messages missing on distributed Servers over WebVPN |
| CSCse75485 | Yes | Traceback in Thread Name: fover_parse during config sync |
| CSCse75523 | Yes | Received ARP request collision when issuing write standby |
| CSCse76085 | Yes | WebVPN: OWA: file download with size>100KB stops |
| CSCse76095 | Yes | Traceback in Thread Name: Checkheaps when starting WebVPN |
| CSCse76115 | Yes | Cascade delimiter not inserted with correct priority for dynamic crypto. |
| CSCse76150 | Yes | No TACACS+ authorization request sent for show run command |
| CSCse76171 | Yes | ASA reverse bytes order of DHCP scope when using SVC |
| CSCse76480 | Yes | 4 byte block allocation lacks the padding |
| CSCse77122 | Yes | FTP-data connection not replicated back to primary after failover |
| CSCse77261 | Yes | Traceback in Thread Name: MFIB with pim mcast routing |
| CSCse77680 | Yes | P2 in progress test broken - could cause unexpected rekey. |
| CSCse77855 | Yes | buffer leak upon IPSEC spoofing. |
| CSCse77943 | Yes | Failover: Primary takes over as Active after reload |
| CSCse78065 | Yes | # sign in config not replicated to Standby unit |
| CSCse78228 | Yes | 7.2.1 Crash in snp_tcp_ha_flow_belongs_to_active_context |
| CSCse78299 | Yes | Primary/Secondary units become Active state when failover link failed |
| CSCse78755 | Yes | Traceback in Thread Name: Dispatch Unit when starting DPD timer for SVC |
| CSCse78779 | Yes | Standby become active after fo link failed with fover hold time > 15 sec |
| CSCse79422 | Yes | RA VPN Phase 2 fails when local pool with classless mask is used |
| CSCse80001 | Yes | Traceback in IKE daemon while trying to post event (syslog) |
| CSCse80897 | Yes | AAA: User-Password and EAP-Proxy should not be in same RADIUS request |
| CSCse81073 | Yes | WebVPN: Traceback with Thread Name: emweb/https |
| CSCse81232 | Yes | Failover pair loses failover state configuration after upgrade to 7.2.1 |
| CSCse81273 | Yes | Traceback 'Thread Name: Dispatch Unit' with PPPOE and SSM-CSC |
| CSCse81330 | Yes | Strict HTTP inspection ignores '304 Not Modified' -syslog message 415014 |
| CSCse81633 | Yes | ASA 4GE-SSM Gig ports silently drop IGMP joins |
| CSCse81656 | Yes | LDAP CLI is not displaying quotes when parameters contain spaces |
| CSCse82262 | Yes | No specific error message while uploading a file via HTTPS |
| CSCse82743 | Yes | Java applet fails to load through WebVPN |
| CSCse83515 | Yes | ASA-5550 reports incorrect amount of RAM in show version output |
| CSCse83905 | Yes | dhcprelay stops working if FW interface ip address is modified |
| CSCse85490 | Yes | SSC Rommon resets 5505 switch ports. |
| CSCse86877 | Yes | WebVPN: DNS resolving Port Forwarding hostname entries when it shouldn't |
| CSCse86968 | Yes | Standby unit sends accounting records for replicated DACL commands |
| CSCse88572 | Yes | SIP: Does not parse the compact form of Call-ID |
| CSCse88632 | Yes | WebVPN: Kronos Applet doesn't launch |
| CSCse88873 | Yes | IPV6: TCP SYN-ACK with layer 2 padding dropped |
| CSCse89013 | Yes | debug radius decode does not show all attributes in Radius requests |
| CSCse89471 | Yes | WebVPN: RDP client VBScript function not recognized correctly |
| CSCse90732 | Yes | copy command prevents copying old asdm to tftp |
| CSCse90796 | Yes | ASA with PPPOE crashes in IP Thread |
| CSCse90864 | Yes | 3DES license is not accepted in 7.2 |
| CSCse90886 | Yes | MacOS VPN Client does not pass traffic with client-update feature on Asa |
| CSCse91039 | Yes | WebVPN: SSL Cert Request from ASA should include all trusted issuer DN's |
| CSCse91930 | Yes | Traceback when using packet tracer with multiple ACL rules |
| CSCse92016 | Yes | WebVPN: Refresh URL in http header not mangled - port CSCse00556 to asa |
| CSCse94012 | Yes | VPN: wrong event generated when concurrent IKE negotiation max exceeded |
| CSCse94158 | Yes | FIPS: Add CRNG callback for new RNGs added since 7.0.4 |
| CSCse94162 | Yes | FIPS: Porting damage in content-mangling code |
| CSCse94241 | Yes | Traceback: Thread Name:vpnlb_thread when taking over as failover active |
| CSCse95357 | Yes | WebVPN: reply/forward action of OWA2000 does not attach message |
| CSCse95408 | Yes | Go button shows in pages opened from homepage with url entry disabled |
| CSCse95437 | Yes | Capture: Circular buffer stops capture when buffer full |
| CSCse96289 | Yes | VPN: Traceback with Thread Name: Dispatch Unit |
| CSCse96559 | Yes | vpn-filter does not work when used with IOS ESVPN client |
| CSCse98397 | Yes | EAP state engine triggers retransmission and corrupts EAP session |
| CSCse98516 | Yes | Webpvn: special character '?' cannot be configure in url-list |
| CSCse98719 | Yes | Connection fails with the CA cert of 4096 bits fails with Error #72eh |
| CSCse98959 | Yes | Static Analysis: Add options to make sa for changelist |
| CSCse99033 | Yes | tracked route removed from Standby firewall after failover |
| CSCse99107 | Yes | webvpn/ssl - flow control issues transferring large OWA attachments |
| CSCse99257 | Yes | WebVPN: ActiveX port-forwarder problem |
| CSCse99783 | Yes | DHCP Relay fails when static specified |
| CSCsf00368 | Yes | Crashinfo file may incorrectly show 0% free memory |
| CSCsf01451 | Yes | Inspect IM breaks websense |
| CSCsf02102 | Yes | SIP, show conn after phone registration has wrong information displayed |
| CSCsf02349 | Yes | Traceback in ThreadName: ci/console when add certificate in wrong format |
| CSCsf04271 | Yes | WebVPN connections fail after reload with self signed certs |
| CSCsf05931 | Yes | AAA: group-lock does not handle tunnel-group names with spaces |
| CSCsf07036 | Yes | ASA hangs during initialization after 4GE card is shutdown |
| CSCsf08950 | Yes | AAA: Memory leak with ACL in cut-through-proxy |
| CSCsf09795 | Yes | Using SecureID to auth users may cause high CPU |
| CSCsf10185 | Yes | ASA should allow 255.255.255.255 mask on PPPoE interface |
| CSCsf10248 | Yes | Unable to pass traffic from one context to other through shared int |
| CSCsf10663 | Yes | High CPU / System locks up when adding a network object entry |
| CSCsf10973 | Yes | SSM-4GE I/O card hangs after backplane GPIO power off |
| CSCsf11095 | Yes | show conn display problems for secondary conns with static network |
| CSCsf11672 | Yes | SMTP Inspection with multiple line response fails |
| CSCsf12352 | Yes | Remove unwanted console messages related 4GE SSM |
| CSCsf12436 | Yes | show version on 5505 display cpu as Pentium |
| CSCsf13906 | Yes | ASA may hang during boot |
| CSCsf14075 | Yes | WebVPN: OWA 2007 does not send response/forward |
| CSCsf14370 | Yes | cut-through authentication redirects port, causing connectivity issues |
| CSCsf15361 | Yes | L2TP: disconnects thru PAT/ DSL topology |
| CSCsf15525 | Yes | L2TP: Failure to connect within 120 seconds of initial disconnect |
| CSCsf16622 | Yes | Firewall should log syslog when IGMP report denied by IGMP ACL |
| CSCsf16633 | Yes | ASA - OSPF over VPN tunnel not working correctly |
| CSCsf17256 | Yes | ASA 7.2.1 crash with thread emweb/cifs from snp_tcp_intercept_cb() |
| CSCsf18590 | Yes | show failover not show stateful vlan link failed in link failed scenario |
| CSCsf18739 | Yes | OWA2003 gives an   error when used with Webvpn |
| CSCsf19244 | Yes | Traceback in Thread Name: pix_flash_config_thread with vpdn config |
| CSCsf20095 | Yes | ASA5505: Potential issue - GE controller may get stuck at transmit |
| CSCsf20856 | Yes | ASA should return FQDN on HTTP authentication (Socks) |
| CSCsf21159 | Yes | CRL checking fails when using Entrust CA on ASA |
| CSCsf21253 | Yes | Linux VPN Client does not pass traffic when client-update is enabled |
| CSCsf21488 | Yes | vpnfo client timeout causes standby to reload due to failover reset |
| CSCsf21675 | Yes | Change the password reset command string for CSC SSM |
| CSCsf21882 | Yes | Traceback in Thread: Dispatch Unit with QOS police configuration |
| CSCsf21932 | Yes | packet-tracer does not show access-list and object-group information |
| CSCsf22694 | Yes | ESMTP connection not terminated with malformed mail from address |
| CSCsf23145 | Yes | Unable to complete large uploads through VPN if packet loss occurs |
| CSCsf23672 | Yes | Traceback in garbage collector with SIP inspection configured |
| CSCsf24173 | Yes | IPv6: Fixup FTP is not working with IPv6 |
| CSCsf24272 | Yes | IPv6: ACL corruption with service object-group |
| CSCsf24409 | Yes | User lockout functionality for telnet to box not working in multimode |
| CSCsf24901 | Yes | WebVPN returns a blank page with error HTTP/1.1 302 Moved Temporarily |
| CSCsf25601 | Yes | OWA2003 SP2 with hotfix Support Required |
| CSCsf25691 | Yes | Authentication not happening with Openldap server |
| CSCsf25963 | Yes | WebVPN OWA 2003 404 error while inbox is loading Premium Client |
| CSCsf28690 | Yes | L2TP/IPsec ASA rejects clients certificate |
| CSCsf29064 | Yes | Management SSH Connections denied - waiting on AAA srv reply |
| CSCsf29437 | Yes | Output for show failover state command needs improvement |
| CSCsf30454 | Yes | Crash in fover_parse due to SNMP during failover replication |
| CSCsf31731 | Yes | First IPv6 connection to the box fails, subsequent connections pass |
| CSCsf31767 | Yes | comma cannot be used in Subject DN in certificate parameters of ASA |
| CSCsf32319 | Yes | Unable to pass traffic between contexts using unique MACs |
| CSCsf96488 | Yes | Need stack trace capability to identify the session disconnection flow |
| CSCsf97902 | Yes | HTTP Inspect regex match of Request header will not match Header-Type |
| CSCsf98271 | Yes | traceback in dns_cache_timer or dns_process using clientless browsing |
| CSCsf98572 | Yes | Webvpn prompt for SecureID pin shows in clear text |
| CSCsf98804 | Yes | Wrong TCP sequence numbers in ICMP Unreachable when sent through ASA |
| CSCsf99289 | Yes | Traceback in Thread Name: aaa |
| CSCsf99335 | Yes | Traceback in Thread Name: IKE Daemon and Checkheaps memory corruption |
| CSCsf99833 | Yes | Traceback in fover_FSM_thread w/deb fover switch and stateful link down |
| CSCsf99945 | Yes | Remove FWSM specific 'show pc ....' cli |
| CSCsg00066 | Yes | Traceback in accept/http with ASDM 'clear configure crypto dynamic-map' |
| CSCsg00748 | Yes | Clear window-scale sack option in non-syn packets instead of dropping it |
| CSCsg00914 | Yes | OSPF neighbors don't form due to corrupted arp entry |
| CSCsg01099 | Yes | ASA: Files on flash show incorrect date when looked using a Windows PC |
| CSCsg03411 | Yes | WebVPN CIFS file delete when client try to rename |
| CSCsg04083 | Yes | TG cookie is not properly set before redirection to CSD installation |
| CSCsg04324 | Yes | VPN: high cpu usage with DHCP assigned IP addresses |
| CSCsg05160 | Yes | name command doesn't accept 128.0.0.0 and 192.0.0.0 as a network |
| CSCsg05422 | Yes | WebVPN OWA2003:page not displayed properly when the address book is used |
| CSCsg05519 | Yes | Port 443 is not available for IPSEC over TCP |
| CSCsg05587 | Yes | access-lists not downloaded from aaa server in some cases |
| CSCsg07077 | Yes | server-side DPD never sent out - connection dropped |
| CSCsg07425 | Yes | Need to update OpenSSL to 0.9.7k |
| CSCsg07720 | Yes | VPN Session DB: Potential stale point access in SESS_ACTIVE_REC |
| CSCsg08629 | Yes | webvpn customization title..help for style and text reversed |
| CSCsg08725 | Yes | Traceback: Thread Name: Dispatch Unit when timeout TCP keepalive message |
| CSCsg08799 | Yes | Traceback in Dispatch Unit and assertion flow->vpn_handle == NULL |
| CSCsg08833 | Yes | CSC may failover with syslog 323006 when 'dir disk1:/' executed |
| CSCsg09045 | Yes | URL redirect not working |
| CSCsg10386 | Yes | Webvpn not using custom text color for conection error dialog |
| CSCsg10605 | Yes | ASA: TCP normalizer spoofs an ACK with all zeroes src MAC address |
| CSCsg10950 | Yes | SIP registration using Camelot fails with inspect enabled |
| CSCsg11701 | Yes | WebVPN: Java Security exception: SHA1 digest error-> Java applet |
| CSCsg11706 | Yes | Unable to reconnect ssl/vpn when DPD keepalive expires |
| CSCsg11817 | Yes | Disable Back button in denied access page |
| CSCsg11957 | Yes | CSC cutting link speed by 60%, and download speeds are very slow. |
| CSCsg13717 | Yes | snmpwalk on CISCO-IPSEC-FLOW-MONITOR-MIB returns OIDs out of order |
| CSCsg14238 | Yes | Remove invalid commands from 5505 interface configuration |
| CSCsg14743 | Yes | TCP connections through L2TP/IPSEC not routable with route...tunneled |
| CSCsg15224 | Yes | WebVPN: Java applet fails to load |
| CSCsg16888 | Yes | VPNLB: HTTP to HTTPS redirect does not work after re-enabling |
| CSCsg17150 | Yes | Traceback in Thread Name: Dispatch Unit with Large Multicast Packets |
| CSCsg17709 | Yes | Inspect information not displayed in packet-tracer output |
| CSCsg17712 | Yes | AAA: Auth-Proxy session expired when using multiple connections |
| CSCsg18637 | Yes | Unable to telnet to more than one IPv6 addr on interface |
| CSCsg20027 | Yes | LDAP msRadiusFramedIPAddress doesn't assign IP in 7.2.x, OK in 7.1.x |
| CSCsg20301 | Yes | Originate-Only/Answer-Only data being dropped |
| CSCsg20773 | Yes | FIPS self test failure on new image upgrade |
| CSCsg21230 | Yes | EASTERN is hardcoded as SMTP date timezone |
| CSCsg21242 | Yes | ASA: Outbound ESP blocked by VPN-Filter when using Originate-Only |
| CSCsg21515 | Yes | Traceback in Thread Name: Dispatch Unit when enabling Webvpn |
| CSCsg21527 | Yes | FOVER: Traceback in Thread Name: fover_FSM_thread when booting up |
| CSCsg23113 | Yes | WebVPN: java.lang.ClassFormatError: Truncated class file |
| CSCsg23233 | Yes | VPN: 'show isa sa' may cause traceback in Thread Name: telnet/ci |
| CSCsg23270 | Yes | Traceback in Thread Name: telnet/ci with 'show local | grep 1.1.1.1\' |
| CSCsg23473 | Yes | ASA 7.0 ssh process vulnerable to CRC32 compensation DOS attack |
| CSCsg24602 | Yes | Malformed LDAP AD debug message |
| CSCsg25616 | Yes | ASA put PATed src port in ICMP (type3, code4) |
| CSCsg27124 | Yes | PIX 7.x does not allow RST pkt to pass from srv to client after failover |
| CSCsg27173 | Yes | WebVPN: Linux/Mac Location Criteria fails when Home Page is Configured |
| CSCsg27896 | Yes | SDI Cross-Realm authentication does not work |
| CSCsg29839 | Yes | Reply/Forward does not work with Domino Web Access and WEBVPN |
| CSCsg29988 | Yes | WebVPN: Java - java.lang.ClassNotFoundException: vminitializer.VMinitial |
| CSCsg30214 | Yes | ISAKMP threshold value in primary and secondary not the same |
| CSCsg30885 | Yes | Traceback: Thread Name: emweb/https and assert count <= payload failed |
| CSCsg31458 | Yes | PKI: cannot enter url with more than one '?' |
| CSCsg31633 | Yes | no ipsec-udp-port gives error type return through HTTPS |
| CSCsg31948 | Yes | Trace back in Thread Name: snmp (Old pc 0x009fa5a0 ebp 0x0202cfcc) |
| CSCsg31956 | Yes | VPN: Traceback in Thread Name: IKE Daemon |
| CSCsg32519 | Yes | Traceback in Thread Name: RIP Router |
| CSCsg34819 | Yes | Traceback in ssh thread after ssh timeout expires |
| CSCsg35215 | Yes | Syslog server down causes ICMP flood if ICMP is denied at interface |
| CSCsg35721 | Yes | Traceback in Thread Name: netfs_thread_init when auth with Kerberos |
| CSCsg35747 | Yes | ERROR: Failed to find ldap context after clear config all entered |
| CSCsg39502 | Yes | ASA 7.0.6 Traceback in tmatch compile |
| CSCsg39762 | Yes | 5510 show ver missleadingly indicates backplane FE as Not license |
| CSCsg40572 | Yes | Traceback in Thread Name: IKE Daemon |
| CSCsg40894 | Yes | ASA s/w crash due to memory mem_get_owner |
| CSCsg41593 | Yes | If 2 DHCP servers for VPN clients, failover for DHCP not successful |
| CSCsg43075 | Yes | VPN external group-policy timeout can cause various issues |
| CSCsg43077 | Yes | L2TP_IPSEC - VPN filters in group-policy matches udp 1701 l2tp traffic |
| CSCsg43384 | Yes | L2TP/IPSec - User filters configured using vpn-filter attr not applied |
| CSCsg43844 | Yes | In failover pair standby ASA used memory is higher than in active |
| CSCsg44868 | Yes | Same user in ACS and LOCAL database of aaa authorization causes error |
| CSCsg44875 | Yes | TACACS+ accounting records do not include port number |
| CSCsg46536 | Yes | alSslStatsActiveSessions from ALTIGA-SSL-STATS-MIB returns bad values |
| CSCsg48691 | Yes | WebVPN: Java applets failing thru the rewriter |
| CSCsg48881 | Yes | MCAST: improve direct connect multicast performance |
| CSCsg48997 | Yes | RST-ACK sent by service resetoutbound uses wrong sequence number |
| CSCsg49205 | Yes | Re-writing of SIP on-hold invite fails without a translation for 0.0.0.0 |
| CSCsg49473 | Yes | The url-server stats contain counter discrepancies |
| CSCsg49497 | Yes | Do not trust Content-Type when forcing no-cache |
| CSCsg49825 | Yes | Traceback at snp_fp_frag_v4 (Old pc 0x00218bc7 ebp 0x01853738) |
| CSCsg50453 | Yes | LDAP Authent setup crashing ASA ldap_client:ldap_client_scope_get+177 |
| CSCsg50757 | Yes | Memory corruption of dispatch_ctxt_t in checkheaps |
| CSCsg51932 | Yes | ISAKMP Phase 2 failure when NAT with NAT-T |
| CSCsg52108 | Yes | The uauth timeout is not enforced via TACACS+ |
| CSCsg52277 | Yes | Certain SMTP messages cannot be sent through ASA with 'inspect esmtp' on |
| CSCsg52606 | Yes | RSA signature forgery vulnerability in SSL code |
| CSCsg52749 | Yes | AAA:realm string has a unique session-id suffixed to it |
| CSCsg53569 | Yes | PIX-ASA: state-checking not compliant to H225 standards |
| CSCsg58837 | Yes | ASA crash in Dispatch Unit during configuration replication |
| CSCsg60257 | Yes | SIP inspect leading to unexpected Deny with no connection impacting BHCC |
| CSCsg62775 | Yes | RAS seeing incorrect H.323 state transition RCF-> GRQ |
| CSCsg63037 | Yes | Command rejected for single digit vlan number |
| CSCsg63297 | Yes | CPU hog when update large object group in policy nat |
| CSCsg64280 | Yes | FO: crypto ca cert map not replicated until after trustpoint match cmd |
| CSCsg64743 | Yes | VPN: Ambiguity with isakmp keepalive command |
| CSCsg65794 | Yes | WebVPN OWA 2003 Cannot save large files to disk with Save Target as... |
| CSCsg67322 | Yes | WebVPN: DFS Failure to open folders on a W2K server |
| CSCsg68430 | Yes | The clear arp <int> option is missing from 7.2 docs and help |
| CSCsg69270 | Yes | 717 - 72 byte blocks of mem leaked: _ber_memalloc_x+66 after vpn sys tst |
| CSCsg70099 | Yes | FIPS: PRNG not used for async/no_pend rand requests |
| CSCsg71008 | Yes | AAA: Kerberos cut-thru proxy auth doesnt work in more than one context |
| CSCsg71789 | Yes | FO:SVC DL ACL's are incorrect after failover to stdby- uses no/wrong ACL |
| CSCsg73147 | Yes | ASA crashes on codenomicon TLS suite |
| CSCsg76664 | Yes | System out-of-block with 2700 active WebVPN sessions |
| CSCsg77799 | Yes | ASA not forwarding multicast traffic with bidirectional RP |
| 固定リンク | コメント (0) | トラックバック (0)
PIX/ASA 7.2(2)リリース
v7.2に関しては、約半年ぶりのバージョンアップ。
以下、リリースノートより、New FeturesとImportant Notesを抜粋。
This section lists the new features for Version 7.2(2). All new features are supported in ASDM 5.2(2).
Version 7.2(2) adds a new command, the hw-module module <slot#> password-reset command,
to reset the password on the AIP-SSM and CSC-SSM modules, it resets the
password of user 'cisco' back to the default value 'cisco'.
In Version 7.2(2), the adaptive security appliance authenticates HTTP
network connections using basic HTTP authentication and authenticates
HTTPS connections by generating similar custom login windows. This is
the same exact behavior that was present in Version 7.1 and prior. You
can use basic HTTP authentication if:
•
•
•
The new aaa authentication listener
command enables the adaptive security appliance to authenticate web
pages and select the form based redirection approach that is currently
used in Version 7.2(1). In the absence of this new command, Version 7.1
authentication method is used.
Note In
Versions 7.1 and prior, the adaptive security appliance authenticated
HTTP and HTTPS network connections by interacting with the client in a
transparent manner, by using basic authentication for HTTP connections
and by generating similar custom login windows for HTTPS connections.
After successfully authenticating the client, the adaptive security
appliance would connect through to the intended server. This approach
did not require listening ports to be opened on the adaptive security
appliance interfaces.
In Version 7.2(1), this functionality was replaced by a form based
authentication approach where HTTP and HTTPS connections are redirected
to authentication pages that are served from the adaptive security
appliance. After successful authentication, the browser is again
redirected to the originally-intended URL. This was done to provide:
•
•
•
This section lists important notes related to Version 7.2(2).
The maximum number of VLANs for the Security Plus license on the ASA
5505 adaptive security appliance was increased from 5 (3 fully
functional; 1 failover; one restricted to a backup interface) to 20
fully functional interfaces. In addition, the number of trunk ports was
increased from 1 to 8. Now there are 20 fully functional interfaces,
you do not need to use the backup interface command to cripple a backup
ISP interface; you can use a fully-functional interface for it. The backup interface command is still useful for an Easy VPN configuration.
VLAN limits were also increased for the ASA 5510 adaptive security
appliance (from 10 to 50 for the Base license, and from 25 to 100 for
the Security Plus license), the ASA 5520 adaptive security appliance
(from 100 to 150), the ASA 5550 adaptive security appliance (from 200
to 250).
For more information, see the Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance chapter in the Cisco Security Appliance Command Line Configuration Guide.
The virtual http command has been restored. This is needed with basic authentication when you have cascading authentication requests.
Version 7.2(2) has been submitted for FIPS 140 Level 2 validation.
The PPTP feature is not supported in Version 7.2(2).
New Features
Password Reset
HTTP(S) Authentication Challenge Flexible Configuration
You do not want the adaptive security appliance to open listening ports
You
use NAT on a router and you do not want to create a translation rule
for the web page served by the adaptive security appliance
Basic
HTTP authentication might work better with your network. For example
non-browser applications, like when a URL is embedded in email, might
be more compatible with basic authentication.
By default the the aaa authentication listener command is not present in the configuration, making Version 7.1 aaa behavior the default for 7.2(2). However, when a Version 7.2(1) configuration is upgraded to Version 7.2(2), the appropriate aaa authentication listener commands are added to the configuration so that the aaa behavior will not be changed by the upgrade.
More graceful support authentication challenge processing
An identical authentication experience for http and https users
A
persistent logon/logoff URL for network users This approach does
require listening ports to be opened on the adaptive security appliance
on each interface on which aaa authentication was enabled.
Important Notes
Maximum Number of VLANs
virtual http Command
FIPS 140-2
Features not Supported in Version 7.2(2)
| 固定リンク | コメント (0) | トラックバック (0)
ASDM v5.2 Real-time log Viewerの変更点Creat RuleとShow Rule(syslog ID 106100と106023 )
ASDM v5.2よりReal-time log Viewerで、Creat RuleとShow Ruleボタンが追加された。
これは、syslog ID 106100と106023に対応し、Creat Ruleボタンをクリックすることで、ルール(ACL)を追加したり、Show Ruleボタンをクリックすることで、ルール(ACL)を確認することができる。
それぞれのsyslog IDは、106023はIP パケットが ACL によって拒否されたことを意味し、106100はIPパケットが、logオプションが設定された(一致した場合にlogとして記録されるように設定された)ACLに一致したこと意味する。
例えば、ユーザがReal-time log Viewerを用いてsyslog ID 106023のlogを確認し、本来許可されるべきIPパケットが拒否されていることを発見した場合、その該当するlogをクリックし、Creat Ruleボタンをクリックすることでその条件にあったルール(ACL)を即座に追加することができる。
また、英語のみの対応となるが、該当のlogをクリックすることで、syslogメッセージマニュアルを参照することなく、logの説明やとるべき措置、詳細情報を確認することができる。
その他Syslog Color Settingの追加された。
| 固定リンク | コメント (0) | トラックバック (0)
PIX/ASA 7.0(6)リリース
8月22日 PIX/ASA 7.0(6)がリリースされた。
Important Notesより抜粋。
FIPS 140-2
The Cisco ASA 5500 series security appliance is on the FIPS 140-2 Pre-Validation List.
Hostname and Domain Name Limitation
When using ASDM, the hostname and domain names combined should not be more than 63 characters long. If the hostname and domain names combined is more than 63 characters, you will get an error message.
WebVPN ACLS and DNS Hostname
When a deny webtype URL ACL (DNS-based) is defined, but the DNS-based URL is not reachable, a "DNS Error" popup is displayed on the browser. The ACL hitcounter is also not incremented.
If the URL ACL is defined by an IP instead of DNS name, then the traffic flow hitting the ACL will be recorded in the hitcounter and a "Connection Error" is displayed on the browser.
Proxy Server and ASA
If WebVPN is configured to use an HTTP(S)-proxy server to service all requests for browsing HTTP and/or HTTPS sites, the client/browser may expect the following behavior:
1. If the ASA cannot communicate with the HTTPS or HTTPS proxy server, a "connection error" is displayed on the client browser.
2. If the HTTP(S) proxy cannot resolve or reach the requested URL, it should send an appropriate error to the ASA, which in turn will display it to the client browser.
Only when the HTTP(S) proxy server notifies the ASA of the inaccessible URL, can the ASA notify the error to the client browser.
Mismatch PFS
The PFS setting on the VPN client and the security appliance must match.
ACS Radius Authorization Server
When certificate authentication is used in conjuction with Radius authorization, the ACS server sends a bogus Group=CISCOACS:0003b9c6/5a940131/username and is displayed in the vpn-session database.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The Cisco ASA 5500 series security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefit:
•ACE Insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.
User Upgrade Guide
•For a list of deprecated features, and user upgrade information, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/migr_vpn/index.htm
Features not Supported in Version 7.0
The following features are not supported in Version 7.0(6):
•PPPoE
•L2TP over IPSec
•PPTP
MIB Supported
For information on MIB Support, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
| 固定リンク | コメント (0) | トラックバック (0)
ASA5500 Software リリース 2006年7月14日
CSC SSMにおいてv6.1 (b1519-1パッチ)が 2006年7月14日リリースされた。
これにより、いくつかの問題点が修正された。
v6.1 (b1519-1) 2006年7月14日リリース
Closed Caveats
ID Number:Caveat Title
CSCse61973:
CSC SSM does not store NULL HTTP header correctly.
CSCse74860:
Unable to import a configuration backup from one SSM to the other
CSCse74868:
ESMTP AUTH response cannot pass through CSC
CSCse74885:
CSC runtime memory usage keeps increasing
CSCse74907:
High-frequency of SMTP disconnection syslogs is generated
CSCse74913:
Some values reset to default on config import
CSCse74915:
Schedule update may not be executed every 15 minutes on some systems
CSCse74918:
Packet capture from CSC CLI Menu does not capture complete packet
CISCO ASA 5500
v7.0(1) 2005年7月28日リリース
v7.0(2) 2005年7月28日リリース
v7.0(4) 2005年10月14日リリース
v7.0(5) 2005年4月14日リリース
v7.1(1) 2006年2月6日リリース
v7.1(2) 2006年3月15日リリース
v7.2(1) 2006年5月26日リリース PPPoE対応/ASA 5550及び5505への対応 / PPTPは未対応
AIP SSM
v5.1 2005年12月1日リリース
CSC SSM
v6.0 (b1349) 2006年1月17日リリース
v6.1 (b1519) 2006年5月2日リリース
v6.1 (b1519-1) 2006年7月14日リリース
CSC SSM v6.1 日本語パッチ 2006年5月18日リリース
| 固定リンク | コメント (0) | トラックバック (0)
ICMPのためのACLとICMPインスペクション
ICMPインスペクションを利用するとICMPの戻り(ICMP ECHOに対するICMP ECHO REPLAYなど)についてACLを書く必要がない。
ICMPインスペクションを利用しない場合は、ICMPの戻り(ICMP ECHOに対するICMP ECHO REPLAYなど)についてACLを書く必要がある。
| 固定リンク | コメント (0) | トラックバック (0)
PIX v7.2(1) PPPoE IP unnumberedに対応せず
PIX v7.2(1) PPPoE IP unnumberedに対応せず、注意が必要。
Bフレッツなどで、IP 8ヶや16ヶを利用するとき、DMZは、プライベートIPアドレスで構成し、グローバルIPアドレスとstatic NATするべきか。
| 固定リンク | コメント (0) | トラックバック (0)
IWSS 2.5と PIX 7.2(1) 間でWCCP動作せず
IWSS 2.5とPIX 7.2(1)間で、WCCP正常に動作せず。
PIX 7.2コマンドでの検討。
access-list WCCP_Group-list extended permit ip 10.1.1.0 255.255.255.0 any
access-list WCCP_Redirect-list extended permit tcp 10.1.1.0 255.255.255.0 any eq www
access-list WCCP_Redirect-list extended permit tcp 10.1.1.0 255.255.255.0 any eq ftp
wccp 80 redirect-list WCCP_Redirect-list group-list WCCP_Group-list
wccp interface inside 80 redirect in
Command Line Configration Guideには、以下の記述がある。
WCCP redirect is supported only on the ingress of an interface.
The only topology that the security appliance supports is when
client and cache engine are behind the same interface of the
security appliance and the cache engine can directly communicate
with the client without going through the security appliance.
そのためinterface insideの同一セグメント上に
IWSS 2.5とクライアントPCを配置する構成とする。
IWSSでは、WCCPを利用可能にし、ルータIPアドレスリストに10.1.1.1を指定する。
クライアントPCのwww、ftp要求は、redirectされるが、
IWSSからは、PIXのRouter Identifier IPアドレスに対する GREトラフィックが、
送出されるばかりで、正常に動作しない。
次にIOSで同条件で検討。
IOS 12.3コマンド
access-list 22 permit 10.1.1.0 0.0.0.255
access-list 101 permit tcp host 10.1.1.0 0.0.0.255 any eq www
access-list 101 permit tcp host 10.1.1.0 0.0.0.255 any eq ftp
ip wccp 80 redirect-list 101 group-list 22
interface FastEthernet0/1
ip addres 10.1.1.1 255.255.255.0
no ip redirects
ip wccp 80 redirect in
ip route 0.0.0.0 0.0.0.0 10.1.1.10
IOS 12.3(0)~12.3(9)は、使用避けるようにとのこと。
FastEthernet0/1の同一セグメント上に
IWSS 2.5とクライアントPCを配置する構成とする。
クライアントPCのデフォルトゲートウェイは、10.1.1.1とする。
このとき不意に、クライアントPCがICMP redirect メッセージを受けて、
ip redirectしないように、no ip redirectsコマンドを入力する。
このとき、クライアントPCのwww、ftp要求は、redirectされ、
IWSSは、透過プロキシとして正常に動作する。
| 固定リンク | コメント (0) | トラックバック (0)
PIX/ASA IP Spoofing attack(なりすまし)の防止
ip verify reverse-path interface ~ コマンド。
Unicast Reverse Path Forwarding(Unicast RPF)を利用する。
Unicast RPFが有効化されると、送信元アドレスが精査され、
到達したパケットの送信元アドレスが、本来到達するべきではない
インターフェースから到達している場合、そのパケットはドロップされる。
この送信元アドレスの精査では、ルーティングテーブルを参照するため、
通過を許可する全てのトラフィックに対して、送信元アドレスへの
戻るルートをルーティングテーブルに含める必要がある。
RFC2267参照。
| 固定リンク | コメント (0) | トラックバック (0)
PIX/ASA v7.2(1) 管理 SNMP/NetFlow
PIX/ASA v7.2(1)を、SNMPを用いて管理する場合、
v1、v2cにて対応する必要がある。
SNMP v3には対応していない。
また、NetFlowにも対応していない。
| 固定リンク | コメント (0) | トラックバック (0)
PIX/ASA v7.2(1) PPTP
VPN3K、PIX v6.xでは利用可能なPPTPだが、
PIX/ASA v7.2(1)ではサポートされていない。
| 固定リンク | コメント (0) | トラックバック (0)
Webアクセスとsyslog ID:304001
syslog ID:304001を観察することで、ユーザのWebアクセス状況が確認できる。
syslog ID:304001には、ユーザがアクセスしたURLが記録される。
| 固定リンク | コメント (0) | トラックバック (0)
ACLとsyslog ID:106100と106023
ACLを評価するには、syslog ID:106100と106023を観察することが有効である。
ACLでlogオプションが有効化されていなくとも、
該当ACLによりパケットがDenyされた場合、106023が記録される。
ACLでlogオプションが有効化されていて、
該当ACLによりパケットが処理された場合、106100が記録される。
| 固定リンク | コメント (0) | トラックバック (0)
ESMTP Inspection利用例--Sender Addressによるアクセス制御
ESMTP Inspectionを利用して、
ESMTPのトラフィックからSender Addressを検出し、
検出されたSender Addressが特定の条件に一致する場合、
もしくは、一致しない場合、そのESMTPのトラフィックを
resetやdrop connection、logすることが可能である。
ウイルスメール対策、スパムメール対策の
ブラックリスト、ホワイトリストとして利用することも。
| 固定リンク | コメント (0) | トラックバック (0)
PIX/ASA 7.2(1)
ASA5505は、このリリースより採り入れられた。
ASA5505は、SOHOや企業の在宅勤務者向けの新製品で、
8PortのFastEthernetスイッチやEasyVPN、Dual ISPなど多くの機能を持つ。
ASA5550は、大企業やサービスプロバイダー内のネットワークにおいて、
ギガビットクラスのセキュリティサービスを提供し、Active/Activeの
高可用性を実現する信頼性のある1Rack Uフォームファクター。
Easy VPN機能(ASA5505のみ)
PoEスイッチを持つ。
アプリケーション精査と制御
以下のアプリケーション精査を拡張
ESMTP NetBIOS H.323 DNS FTP HTTP Skinny (SCCP) SIP
以下のアプリケーション精査を追加
DCERPC 精査
Instant Messaging (IM) 精査
Yahoo Messenger、MSN Messengerを検知、分類可能。
モジュラーポリシーフレームワーク(MPF)-正規表現をベースしたクラス分け
正規表現を利用したクラス分けが可能。= HTTP、ESMTP、IM Inspection等で利用可能。
Radius Accounting 精査
GKRCS Support for H.323
Skinny Video Support
SIP IP Address Privacy
リモートアクセス及びサイトtoサイト VPN
NAC Network Admission Control
L2TP Over IPsec
OCSP Support
Active RIP Support
Multiple L2TP Over IPsec Clients Behind NAT
Nokia Mobile Authentication Support
Zonelabs Integrity Server
Hybrid XAUTH
IPsec Fragmentation and Reassembly Statistics
ネットワーク
PPPoE Client
Dynamic DNS Support
Multicast Routing Enhancements
Private and Automatic MAC Address Assignments and Generation for Multiple Context Mode
Expanded DNS Domain Name Usage
回復性と拡張性
Sub-second Failover
Standby ISP Support
その他
RTP/RTCP Inspection
Generic Input Rate Limiting
URL Filtering Enhancements for Secure Computing (N2H2)
Resource Management for Security Contexts
Authentication for Through Traffic and Management Access Supports All Servers Previously Supported for VPN Clients
Auto Update
Dead Connection Detection (DCD)
Configurable Prompt
Save All Context Configurations from the System
Intra-Interface Communication for Clear Traffic
Modular Policy Framework Support for Management Traffic
管理と便利性
Traceroute
トレースルートコマンド
Packet Tracer
ACL テストツール。
WCCP
透過プロキシー設定。SquidやIWSS等との連携。
IPv6 Security Enforcement of IPv6 Addresses
Inspection IPS, CSC and URL Filtering for WebVPN
| 固定リンク | コメント (0) | トラックバック (0)
ASA5500 Software リリース
CISCO ASA 5500
v7.0(1) 2005年7月28日リリース
v7.0(2) 2005年7月28日リリース
v7.0(4) 2005年10月14日リリース
v7.0(5) 2005年4月14日リリース
v7.1(1) 2006年2月6日リリース
v7.1(2) 2006年3月15日リリース
v7.2(1) 2006年5月26日リリース PPPoE対応/ASA 5550及び5505への対応 / PPTPは未対応
AIP SSM
v5.1 2005年12月1日リリース
CSC SSM
v6.0 (b1349) 2006年1月17日リリース
v6.1 (b1519) 2006年5月2日リリース
CSC SSM v6.1 日本語パッチ 2006年5月18日リリース
| 固定リンク | コメント (0) | トラックバック (0)
最近のコメント