ASA/PIX Firewall: “to-the-box” traffic

Blog

Dec 31, 2010 8:42 PM
Dec 31st, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

New Year greetings to all reading this!!

I thought of sharing something interesting with everyone. This is a feature I have explained to many of our customers and thought of sharing it here on our support forum.

Traffic to any device can be classified in two ways; traffic through-the-box & to-the-box. On ASA firewall running on software version 8.0 (or higher) and PIX running software 6.3 we have a feature about traffic ‘to-the-box’ which I would like to share here.

Consider the setup below with sample config from ASA 8.x software:

:

ASA Version 8.x 

!

:

route Outside-Primary 0.0.0.0 0.0.0.0 Y.Y.Y.254 2

route Outside-Backup 0.0.0.0 0.0.0.0 X.X.X.254 5

:

csc_blog_csaxena_image2.JPG

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

If we try to access the ASA device from outside, we can access the device using both the interfaces; Outside-Primary & Outside-Backup via ssh, http, etc. This is a feature available on ASA 8.0 (or higher) or PIX 6.3 i.e. if we have two default routes configured on different interfaces that have different metrics, connections to the ASA firewall from both the higher & the lower metric routes will succeed. In ASA 7.0, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.

               

          By default this feature is available and we can disable this feature by enabling Reverse Path Verification. Adding the following command will disable this:

ip verify reverse-path interface Outside-Primary

ip verify reverse-path interface Outside-Backup

Above mentioned commands enable the feature to check the return path of the packet based on the global routing table. ‘ip reverse path verify’ command uses the global routing table and not the interface routing table while making routing decisions. It checks if the source can be reached out using the same interface with the current active route [one with lower metric].

Hope you find this useful.

Regards,
Chirag

Average Rating: 0 (0 ratings)

Comments

shzaman Sun, 01/02/2011 - 21:05

Thanks for sharing this information.

ASA8.0

I want to mention/add that if there is a server behind ASA which is mapped to two IPs (static NAT, IP-A from ISP1 and IP-B from ISP2) then that server will be accessible from outside world using both IPs.

static (inside, outside1) IP-A 10.1.1.10 netmask 255.255.255.255 
static (inside, outside2) IP-B 10.1.1.10 netmask 255.255.255.255

Two default routes with different metric values are configured, we will be able to see both routes in 'sh asp table routing'. If we have SLA tracking configured for low metric route (ISP1)  and it goes down then inside server will only be accessible through ISP2's IP address.

ochalmers Tue, 01/04/2011 - 08:41

Hi Chirag,

I have an ASA connected with two ISP as in your example this idea could help me, so i configured the following commands:

ip verify reverse-path interface outside_1

ip verify reverse-path interface outside_2

Also

route  outside_1 0.0.0.0 0.0.0.0  172.24.25.1 1

route  outside_2 0.0.0.0 0.0.0.0  172.24.26.1 5

But it seems not working, because the asa give this error when i tried to ping from internet

to a public ip address of ISP2, Deny ICMP reverse path check from 201.238.58.189 to 172.24.26.3 on interface outside_2

If i interchange the AD of the routes it works fine.

What am i missing?

Cisco Adaptive Security Appliance Software Version 8.0(2)

Please help.

csaxena Tue, 01/04/2011 - 18:46 (reply to ochalmers)

Hi,

Please add the following config :

  • no ip verify reverse-path interface outside_1
  • no ip verify reverse-path interface outside_2

By this we are disabling the reverse path check. With this we should be able to ping, ssh, use ASDM, etc using public IP address of ISP2. Please let me know if this works for you.

Regards,
Chirag

ochalmers Wed, 01/05/2011 - 06:51 (reply to csaxena)

Hi Chirag,

      I followed your suggestion but i'm still unable to ping or establish any tcp/udp connection against ISP2, the message changed:

Routing failed to locate next hop for udp from NP Identity Ifc:172.24.26.3/62465 to outside_2:201.238.55.195/62465


I've even  upgraded the version of system image to asa824-k8.bin

what could it be wrong?

Thanks in advance

Best Regards

Oscar

csaxena Thu, 01/06/2011 - 10:38 (reply to ochalmers)

Hi  Oscar,

Please provide with the following outputs ;

  • show running-config
  • show asp table routing
  • For both ISP : packet-tracer input <internet_interface_name> tcp <your_public_IP> 12345 <interface_IP> 22 detailed

Is this device under contract? If yes, please provide me with serial number & your Cisco ID and I shall open a service request for the same else we shall do it here.

Regards,

Chirag

ochalmers Thu, 08/23/2012 - 08:23 (reply to csaxena)

Hi Chirag, i hope you are doing ok, i disabled  ip verify reverse-path interface on both outside interfaces, now i'm able to reach via ssh or https to the asa by the two ISPs but no ping or udp traffic  via ISP2 unless i add a specific route to the external host via backup ISP.

Do you have an idea why this is happening?

Regards

Oscar

Note: Sorry for late reply i've just watched your reply today, i'm still interested in making work this idea.

Actions

Login or Register to take actions

This Blog

Posted December 31, 2010 at 8:42 PM
Stats:
Comments:9 Avg. Rating:0
Views:3178   
Shares:0

Related Content

Blogs Leaderboard