ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Unanswered Question
Mar 9th, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Glenn Fullager about troubleshooting ASA/PIX Firewalls. Glenn is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. He is based in Melbourne, Australia. He is responsible for assisting customers in the AsiaPac region with high-level problems, specializing in the Security and VPN technologies. Glenn has more than 10 years experience in the Information Technology field, specializing in Security/VPN for the past three years.

Remember to use the rating system to let Glenn know if you have received an adequate response.

Glenn might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 23, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (19 ratings)
Loading.
fishbone88 Fri, 03/09/2007 - 12:51

Hi Glenn,

I have ASA 5510 (sw version 7.2.1) setup to do following:

- port forwarding for incoming connections on outside interface port 22 to system on inside network port 22. This is used for remote access via SSH to our internal server.

- Source IP address translation for same internal system when using a couple of VPN's.

IP address translation for outgoing connections trough VPN's was allways working fine. However at the moment that i setup the port forwarding for outside_interface:22 to inside_system:22 i received the following error:

WARNING: real-address conflict with existing static

TCP inside:10.0.0.2/22 to outside:a.b.c.1/22 netmask 255.255.255.255

I have following static lines in my config:

static (inside,outside) tcp a.b.c.1 ssh 10.0.0.2 ssh netmask 255.255.255.255

static (inside,management) 10.0.0.0 10.0.0.0 netmask 255.255.248.0

static (inside,voip) 10.0.0.0 10.0.0.0 netmask 255.255.248.0

static (inside,outside) a.b.d.1 access-list 1

static (inside,outside) a.b.d.2 access-list 2

....

static (inside,outside) 10.0.0.2 access-list 3

access-l 1 remark -- translate 10.0.0.2->a.b.d.1 for vpn1

access-l 1 permit ip host 10.0.0.2 10.1.0.0 255.255.255.0

access-l 2 remark -- translate 10.0.0.2->a.b.d.2 for vpn2

access-l 2 permit ip host 10.0.0.2 10.2.0.0 255.255.255.0

access-list 3 remark -- traffic we dont translate

access-list 3 permit ip host 10.0.0.2 10.3.0.0 255.255.255.0

Now one VPN is not working anymore. ASA does not translate source IP address 10.0.0.2 to IP address used for that VPN and VPN does not work. Strange is that there is only VPN not functioning since i addedd port forwarding statement. Other VPN's are doing fine.

Please tell me what i am doing wrong and what is the right way to do this.

Thanks in advance for your help.

With Kind Regards,

Alex

hoogen_82 Sat, 03/10/2007 - 02:58

Hi Glen,

I am implemeting a basic setup here. lan --> ASA --> ADSL router --> internet

I have a proxy server inside 192.168.1.6. My two dns servers are present outside.

My problem now is i am not able to ping anything outside. And is there anything else i need to take care since the proxy server is inside and the DNS servers are on the internet.

Hoogen

Attachment: 
ROBERTO TACCON Sat, 03/10/2007 - 05:52

Hi Hoogen,

have you try to inspect also the icmp protocol ?

policy-map global_policy

class inspection_default

inspect icmp

hoogen_82 Sat, 03/10/2007 - 09:40

Hmm.. i did miss that. But my DNS i.e I wasn't able to browse either. Any idea on what might be wrong.

Hoogen

ROBERTO TACCON Sat, 03/10/2007 - 23:00

Hi Hoogen,

1) can you paste the output of the packet-tracer test

for example:

ASA#packet-tracer input inside icmp 10.10.100.50 8 0 192.168.0.1

2) verify the service policy (I dont' remember if works with icmp protocol)

for example:

ASA# show service-policy flow icmp host 10.0.0.2 host 10.1.1.2

3) verify the asp

ASA#show asp drop

4) try to sniffer the icmp protocol on the interfaces (the following is an example with http protocol modify it with ICMP ...)

Step 1: create ACL for both inside and outside Interface

! Outside Capture ACL

ASA#Access-list 100 permit tcp host 192.168.2.2 host 198.133.219.25 eq 80

ASA#Access-list 100 permit tcp host 198.133.219.25 eq 80 host 192.168.2.2

! Inside Capture ACL

ASA#Access-list 101 permit tcp host 10.1.3.2 host 198.133.219.25 eq 80

ASA#Access-list 101 permit tcp host 198.133.219.25 eq 80 host 10.1.3.2

Step 2: create captures on both inside and outside interface

ASA#capture out access-list 100 interface outside packet-length 1500

ASA#capture in access-list 101 interface inside packet-length 1500

Step 3: have inside user access www.cisco.com

Step 4: verify the capture

ASA# show capture in

ASA# show capture out

hoogen_82 Wed, 03/14/2007 - 00:20

Hi,

Thank taccon and Glen. Now i have run into a different issue.

I have a problem here with my setup.

It is a simple one Internet <--> ADSL router <--> ASA <--> LAN

I have two lan interfaces both connected to my ASA.

The problem is i have a FTP server residing inside my LAN. The users on the internet are not able to FTP to my server. The error they get is FTP unknow n error.

I am posting my configuration.

Thanks for any help.

Just to add to the above, the adsl router is in a bridged mode. Should that create a proble? The FTP server though works fine if i connect it directly to the internet.

Also the command same-security-traffic permit inter-interface any ideas what else i should do.

Attachment: 
gfullage Wed, 03/14/2007 - 18:00

Config looks OK, and the ADSL router in bridged mode should be OK too. Best way to troubleshoot any problem like this is to enable syslogging and see what it tells you. You can do:

logging on

logging asdm debug

and look at the logs directly in ASDM, or do:

logging on

logging console debug

to see them on the console port. Then have a user try an FTP session and see what it tells you. If you still can't figure it out from there then post the syslog output back here and we'll see what we can tell from it.

gfullage Sun, 03/11/2007 - 01:27

Sorry for the delay in responding.

As poster r.taccon said you could set up "inspect icmp", but you already are allowing ICMP in on your inbound access-list, which should cover that. If you have this AND "inspect icmp" in your config and it still doesn't work then you have another issue.

You mention the DNS servers a few times, are you pinging by name or by IP address? Try by IP address and see if that works, at least then we can pinpoint it down to a filtering or a DNS problem.

If you can ping by IP address but not by name then obviously you have a DNS issue. There's nothing specifically wrong with your config anywhere, it's pretty basic. I'd like to see "show service-policy" to see if the ASA is seeing DNS packets and dropping them for some reason. Other than that a packet capture on both the inside and outside interfaces is probably the best way we can figure out what's going on.

fishbone88 Mon, 03/12/2007 - 10:45

Hi Glenn,

I appologise for this reply if the reason that you are not answering my question is because you are too busy.

Anyway in case you need some aditional information from me (complete ASA config, network topology map ..) please tell me and i'll provide you with all the details that you need.

This blocking issues is keeping me from implementing Cisco ASA all the way in my organization.

Thanks one more time for your help.

With Kind Regards,

Alex

gfullage Mon, 03/12/2007 - 20:34

Oh jeez, sorry, I read your post first the other day and then for some reason got sidetracked on other things and then completely overlooked it as something that I had answered. My apologies, and thanks for posting again to remind me.

What you're seeing is not unexpected when you have overlapping static configurations. You may not get total failure on one or the other static's, it will all depend on what types of translations are already present in the translation table and what your new static overwrites. For example, you're adding a port static that essentially overlaps with your other network statics. If one of those happens to have a translation on port 22 already then you'll break it. The warning message is there for a reason.

Is there any other way you can set this up but use a different address? Unfortunately the way you've done it is always going to lead to overlaps going on, and weird behaviour following on from that.

Hi Glenn - good to see you back on the ask the expert stage!

Simple question - do you have a good/detailed document on setting up L2L VPN between PIX 6.3(5) and a MS ISA 2006 server please. I don't have a problem with the PIX setup but need to send a detailed document to customer who would like to terminate the VPN on a MS ISA 2006 box, funny, my customer is based in Melbourne, Aus.!!

Thanks for any pointers...

Jay

sebastan_bach Sat, 03/10/2007 - 06:51

hi glen really glad to have u back in the forum.

heard a lot abt the new ios 8.0 for asa which has very good enhancements for webvpn especially.

would like to know is routing and vpn with context functionality be available in the new version.

waiting for ur reply.

regards

sebastan

gfullage Sun, 03/11/2007 - 01:33

Hi Sebastan, good to be back.

Just got back from a week in Sydney doing the ASA v8.0 TAC training, and unfortunately no, VPN and dynamic routing is NOT in the multi-context configuration.

sebastan_bach Sun, 03/11/2007 - 12:20

hi glen thanks for ur reply. then could u pls tell us what are the major enhancements in the verison 8.0 and is cisco planning to get vpn and routing functionality with context sometime later.

glen one more question the qos policy on the asa is for ingress or egress.

waiting for ur reply.

regards

sebastan

gfullage Mon, 03/12/2007 - 20:17

Haven't heard of them adding VPN/routing functionality on a per-context basis. If this is something you really want then please contact your account team and get them to push for it, the more people that ask for it the faster it will usually get in. To be honest I haven't heard of many people asking for it, although if we add it in I'm sure a lot of people will start using it.

As for the major additions in 8.0, some are as follows:

- EIGRP support

- secure syslogging

- IPS virtualization (being able to utilise the new IPS 6.0 feature)

- threat detection (detecting scans, syn attacks, etc)

- all the inspection engines have been enhanced to support new functionality

- a lot of crypto enhancements like CA server

- major WebVPN enhancements to how it functions and works in the backend to make it faster and work better with ActiveX/Java pages

QoS is applied to the outbound interface only.

sebastan_bach Mon, 03/12/2007 - 22:52

hi glen thanks a lot for ur reply.

i was asking for the vpn and routing funtionality for the context cause if supported it will work properly for a managed firewall service.

where in every customer can run it;s own vpn and routing protocol on his protocol and manage and configure his own firewall.

without this the asa can only be used in a normal environment.

by the way any idea when version 8.0 it will be released

just expressed my views.

regards

sebastan

gfullage Mon, 03/12/2007 - 23:00

Yep, and I see your point, so no arguments there.

8.0 is in final testing phases now so it all depends on how it goes in that. Obviously if they run into issues it will be delayed until those issues are fixed, so at this point there is no set date for its release. It should be towards the end of the month all going well.

mmorris11 Tue, 03/20/2007 - 06:53

I have been wondering about this since 7 was introduced. I don't know anyone who has an ASA who doesn't also use it for VPN. One question though, if I don't use the ASA for IPsec VPN and just SSL vpn, why couldn't contexts be used since none of the typical crypto engine stuff would be needed? Multiple context + VPN = :)

-mike

gfullage Tue, 03/20/2007 - 23:05

Agree again, but the underlying code is shared quite a bit actually (not so much the encryption, but the mappings between tunnel groups, etc), which is why it would be virtually impossible to separate the two.

gfullage Sun, 03/11/2007 - 01:31

Thanks Jay, glad to be back (sort of :-) )

Ahh those people in Melbourne, always making things difficult. This is about as close as I can find:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml

I can honestly say I've never tried this, so ummm, have fun :-)

FYI, all the PIX sample configs are here:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

ckuriyar74 Wed, 03/21/2007 - 23:22

We have PIX 515 with 7.0(2) and having intermittent problem. Four VPN tunnels are configured and also internet traffic pass thro this PIX.

Currently the PIX is very slow and if I ping the inside interface the ping resonse is varying between 50 to 100ms and also the latency to the internet sites is high.

If the traffic is zero the ping response is normal~ 1ms and behaves normal.

Is it related to any hardware issue or bug with image 7.0(2)

JohnHumphrey Thu, 03/22/2007 - 16:15

Where could I find some good tutorials on the ASA 5500 series Appliances?

ROBERTO TACCON Sat, 03/10/2007 - 06:56

Hi Glenn,

please can you help me with the following QoS problem on the ASA:

Situation:

I have 2 ASA version 7.2 with L2L IPSec VPN tunnels on internet established with one another.

Each with 5 Mbps of internet bandwidth.

Requirements:

I need to configure qos across this Lan to Lan IPSec tunnel with the following mode.

With 5 Mbps total bandwidth I need to rate 3,5 Mbps for L2L VPN with the following rate limit policy:

2 Mbps for the http traffic vs 192.168.10.10,

1 Mpbs for the https vs 192.168.10.10

and 500 kbps for all the other traffic inside the L2L IPSec.

As indicated on the http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063705d.html

QoS provides maximum rate control, or policing, for tunneled traffic for each individual user tunnel and every site-to-site tunnel. In this release, there is no minimum bandwidth guarantee.

The security appliance can police individual user traffic within a LAN-to-LAN tunnel by configuring class-maps that are not associated with the tunnel, but whose traffic eventually passes through the LAN-to-LAN tunnel. The traffic before the LAN-to-LAN tunnel can then be specifically policed as it passes through

the tunnel and is policed again to the aggregate rate applied to the tunnel.

The security appliance achieves QoS by allowing two types of traffic queues for each interface: a low-latency queue (LLQ) and a default queue. Only the default traffic is subject to rate limiting.

Please can you check if the following configuration example (or any other) is correct / possible ?

Thanks in advance.

----------------------------------------------------------------------------------

hostname(config)# access-list host-over-l2l-http extended permit tcp any host 192.168.10.10 eq 80

hostname(config)# class-map l2l-host-specific-80

hostname(config-cmap)# description "This class-map matches http traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-http

hostname(config)# access-list host-over-l2l-https extended permit tcp any host 192.168.10.10 eq 443

hostname(config)# class-map l2l-host-specific-443

hostname(config-cmap)# description "This class-map matches https traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-https

hostname(config)# access-list host-over-l2l-any extended deny tcp any host 192.168.10.10 eq 80

hostname(config)# access-list host-over-l2l-any extended deny tcp any host 192.168.10.10 eq 443

hostname(config)# access-list host-over-l2l-any extended permit ip any any

hostname(config)# class-map l2l-host-specific-any

hostname(config-cmap)# description "This class-map matches all other traffic for the host on the private side of the remote tunnel"

hostname(config-cmap)# match access-list host-over-l2l-any

hostname(config-cmap)# class-map l2l-tunnel-grp1

hostname(config-cmap)# description "This class-map matches all best-effort traffic for tunnel IPsec grp1"

hostname(config-cmap)# match tunnel-group tunnel-grp1

hostname(config-cmap)# match flow ip destination-address

----------------------------------------------------------------------------------

hostname(config)# policy-map qos

hostname(config-pmap-c)# class l2l-tunnel-grp1

hostname(config-pmap-c)# police output 3500000 37500

hostname(config-pmap-c)# class l2l-host-specific-80

hostname(config-pmap-c)# police output 2000000 37500

hostname(config-pmap-c)# class l2l-host-specific-443

hostname(config-pmap-c)# police output 1000000 37500

hostname(config-pmap-c)# class l2l-host-specific-any

hostname(config-pmap-c)# police output 500000 37500

----------------------------------------------------------------------------------

hostname(config)# service-policy qos interface outside

gfullage Sun, 03/11/2007 - 01:50

Thanks for the detailed question and configuration example. It looks basically correct from what I can tell, my only worry is that you have the "match all tunneled traffic" class first in the policy-map. I think your more specific traffic to 192.168.10.10 will just be hitting this first and only use that class-map, which just means all that traffic is being rate-limited to 3.5Mbps.

A good way to see what particular types of traffic flows will hit what class-map and service policy (or in other words what action will be taken on a flow), is to use the "show service-policy flow" command. In your example, use combinations of:

show service-policy flow tcp any host 192.168.10.10 eq 80

show service-policy flow tcp any host 192.168.10.10 eq 443

and

show service policy flow tcp any any

and that should give you a good indication of what action is going to be taken on each type of traffic. From there you can change you configuration accordingly until you get what you want.

dr.f Mon, 03/12/2007 - 05:29

Hi Glenn,

we're on the way to switch from 2621XM hardware to ASA (2x 5510 with 7.2(1) in HA-Active/Passive-Mode. Now I'm not able to set up an l2l-tunnel failover. The failover is working, also the l2l-tunnel to a remote ASA (also 5510 with 7.2(1)), but when I initiate an failover the l2l-tunnel breaks and doesn't came up on the secondary HA-ASA.

On the primary(active) ASA the l2l-tunnel works without errors, when the secondary (Standby) ASA became active I get the following errors:

%ASA-6-713219: IP = xxx.xxx.xxx.xxx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-3-713902: IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!

%ASA-4-713903: IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry .

Maybe You have a tip for me.

TIA,

Dit

gfullage Mon, 03/12/2007 - 20:09

As much as I hate blindly suggesting code upgrades, get off 7.2(1) and upgrade to the latest release of 7.2, which currently is 7.2(2.13):

http://www.cisco.com/cgi-bin/tablebuild.pl/ASALANRETNI

If you do a "sho cry isa sa" on the standby ASA you should see an MM_STANDBY sa created. Additionally, it's a bit hard to see the problem without your configs, but here are the most common caveats that people don't do:

1. Only supported in single routed mode. Will not run in multi-context and/or transparent firewall mode.

2. "failover key" CLI must be configured because security associations are replicated from active to standby unit through an external connection.

3. Support stateful failover for IPSec, IPSec over NAT-T, IPSec over UDP and IPSec over TCP for Remote Access users.

4. Support stateful failover for IPSec, IPSec over NAT-T for L-2-L users.

5. Certificates and RSA/DSA crypto keys created on active unit will be replicated to standby unit.

7. VPNFO supports all common AAA servers: NT Domain, SDI, Radius, etc.

There's no specific configuration you need to do to enable this other than have VPN's and failover running properly. Check the caveats above and then if you can send a "show tech" off both devices to me at [email protected] and I'll take a look.

mo shea Tue, 03/13/2007 - 01:26

Hello GLENN

I have 3 inquiries regarding our ASA 5520 7.2(2) Setup, which looks like this

Old Setup

Internet <----> MS ISA <------> LAN

ISA external IP 1.1.1.2

New Setup

Internet <----> ASA<-----> MS ISA <------> LAN

ISA external IP 10.11.10.250/30

ASA Internal IP 10.11.10.249/30

ASA external IP 1.1.1.2

Here ISA acts as a VPN Server for XP clients (l2tp over IPSEC) as well as it publishes secure email services for MS Exchange (also located behind ISA). The ASA was introduced to the network recently, making the ISA server (previusly present) as a secondary FW.

Configuration summary is attached

My Questions are

1- Our ISP supplies us a range of public IPs,ex. 1.1.1.1/224 to 1.1.1.31/224. Whenever I assign any IP on the Outside interface other than 1.1.1.2 (The old IP of the ISA Server before ASA was deployed) no traffic exits the firewall, seems like nat doesnt work. I checked with my ISP who confirmed that the address block is valid. The ISP DNS mux records points to 1.1.1.2 for smtp traffic.

Is there something that I am missing in the config?

With the Outside set as 1.1.1.2 http traffic can pass as well as outbound smtp traffic, but not incoming smtp traffic. Again I found a work around by changing the static NAT statement from

static (inside,Outside) 1.1.1.2 10.11.10.250 netmask 255.255.255.255

To

static (inside,Outside) interface 10.11.10.250 netmask 255.255.255.255

Is there an expalantion for this behaviour?

2- I am trying to have cisco vpn client 4.6 establish an ipsec connection to ASA over the internet in order to manage it. I do not need internal access to the LAN. Up till now I get connection timeout from the client. I have successfully configured XP L2tp/ipsec clients to connect to their ISA VPN Server by allowing isakmp, udp 4500 in the access list.

IF I enable isakmp Nat traversal to solve the cisco vpn client issues the XP clients cannot connect at all, and the cisco vpn client does not connect as well. I use IPSEC/UDP for the client.

Any thoughts about this?

3- (last question)

Today morning all Internet communications was down for no reason, the issue was resolved by rebooting the firewall. Is there any related bug in the current ASA IOS 7.2(2)

Thanks for Your time & Effort

Tommy

Attachment: 
gfullage Tue, 03/13/2007 - 17:52

1. You should always use the keyword "interface" in a static rather than the interface's IP address. There was a bug on this a while back and I believe they were going to change the documentation to mention that the keyword should always be used, cannot for the life of me find that bug right now. In short though, it's expected behaviour so always use the "interface" keyword where necessary. As to why you can't use any address other than 1.1.1.2 on the outside int is a little weird. Are you sure the outside router (the device the PIX connects to) doesn't have a static route to only 1.1.1.2 or ARP turned off or something odd like that?

2. Your problem here is this:

static (inside,Outside) interface 10.11.10.250 netmask 255.255.255.255

Any packets that hit the Outside IP address are going to be sent internally to 10.11.10.250. When you try and VPN into this device, I presume you are VPN'ing into 1.1.1.2, so all those packets are not being processed by the PIX at all, which is why you're seeing the timeout. Are you doing this just for management access? If not why not just setup SSH, that's a LOT easier.

3. Don't know of any in particular. Did you get any syslogs while the issue was occurring. The best way to troubleshoot what's going on on the firewall is to use the syslog output. You don't have any syslogging set up by the looks of it, but if you continue to see this problem then checking out the syslog messages will be your best bet to figure it out.

mo shea Wed, 03/14/2007 - 11:22

Thanks Glenn for your response.

1- As for the use of the keyword "interface" in a static nat statement I guess this is only when there is 1 public P used for Nat. But in the case where several webservers and Email Gateways each requiring a static translation to unique public IPs per server, it is not possible to use "interface" keyword.

Isnt that the case?

2- For the VPN client configuration I wish you could give me more details how to edit my config in order to get the VPN tunnel to work. I have configured SSH but I want to enable VPN too.

Thanks again

gfullage Wed, 03/14/2007 - 19:48

1. If the static is referencing a public IP address that is not the same as the one assigned to the outside interface then certainly you need to define that particular IP address in the static command. The "interface" keyword simply uses the IP address that is assigned to the interface specified in the same static command.

2. The only way you can do that is to remove the static that I mentioned before, or change your outside IP address to something else. For example, you currently have everything coming to the outside IP address of the firewall being sent inside to 10.11.10.250. Rather than have to change all your L2TP/IPSec clients, and all your DNS entries to NOT point to 1.1.1.2 anymore, do this:

interface GigEthernet0/3

  nameif Outside

  ip address 1.1.1.3 255.255.255.224

static (inside,outside) 1.1.1.2 10.11.10.250

That way all traffic coming in for 1.1.1.2 will still be sent to 10.11.10.250. Your new VPN client will be configured to connect to 1.1.1.3 which is your outside IP address, and since this has NO static defined it all should work fine.

Of course your first post said you can't use anything other than 1.1.1.2 as the Outside interface address, so you'll have to fix that before you do this.

mo shea Tue, 03/20/2007 - 09:45

Hi Glenn...

It seems our ISP has to resolve some routing issue relating to our public block. I couldnt run ssh on the same interface since as you explained it nats it to the ISA server...

Let's see what will happen tomorrow..

Thanks

binoyjosephstanly Tue, 03/13/2007 - 22:43

hello

im facing a prb with my asa 5510, ive anti spam module installed on this and i configured the http and smtp traffic thru this antispam module, i followed the procedure given by cisco to configur the hhtp ams smtp traffic.

but after that i'm not able to access the ASDM it comes to 90% and it hangs .

and im lot of spam mails also.

now its more than 10 days can you suggest any solution for this OS is 7.1 is it necessary to upgrade to 7.2 or something, im in trouble now i will appreciate the posts from your side.

Thanks & Regards

Binoy

gfullage Wed, 03/14/2007 - 17:54

Sounds like you're hitting bug:

CSCse74111: ASDM hangs if CSC domain email entry is not found.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse74111&Submit=Search

ASDM will hang at 90% if you don't have the mail domain defined on your CSC module. there's no software fix for it basically because the fix is easy, just define a mail domain. You can do this via the CLI (after sessioning into it from the ASA) or by going natively into the module at https://:8443

Hope that helps.

jmprats Tue, 03/13/2007 - 04:20

Hi Glenn,

In PIX 515E with 2 different Internet lines (ADSL) connected to different interfaces, how can I establish different routes based on the local IP?

I want to use one DSL depending on the local IP that create the connection.

Thanks

gfullage Tue, 03/13/2007 - 18:07

Different routes based on local IP is a little difficult, cause what you're really asking for is policy-based routing, which the PIX/ASA doesn't do.

You can set up the two ISP links as a backup to one another as such:

http://www.cisco.com/warp/public/110/pix-dual-isp.html

Or if you set up two default static routes then the ASA will by default load share across them, which means you'd want something like:

nat (inside) 1 0 0

global (outside1) 1 interface

global (outside2) 1 interface

But this isn't what you want, inside traffic will simply be load-shared across the two interfaces.

jmprats Wed, 03/14/2007 - 01:32

Thanks

I think it could be good for a new PIX version.

If you have two different internet lines (SDSL and ADSL, for example) is normal you want internet browsing go out for ADSL line and your web server for the Simetric DSL, for example.

huynhkhay Wed, 03/21/2007 - 09:14

Hi Glenn

Sorry to return back to a former post but I want to be sure of that:

Can the ASA make load balancing between two ISPs?

Your post seems to indicate "yes":

"Different routes based on local IP is a little difficult, cause what you're really asking for is policy-based routing, which the PIX/ASA doesn't do.

You can set up the two ISP links as a backup to one another as such:

http://www.cisco.com/warp/public/110/pix-dual-isp.html

Or if you set up two default static routes then the ASA will by default load share across them, which means you'd want something like:

nat (inside) 1 0 0

global (outside1) 1 interface

global (outside2) 1 interface

But this isn't what you want, inside traffic will simply be load-shared across the two interfaces. "

If I set up two default gateway on each outside interface, and if I set up that:

nat (inside) 1 0 0

global (outside1) 1 interface

global (outside2) 1 interface

will the ASA make load balancing between the two ISPs?

Thanks you for your response!

gfullage Wed, 03/21/2007 - 17:34

Thanks for coming back to this, cause I just realised that what I said previously was wrong, my apologies for any confusion caused.

The PIX/ASA will NOT load-share across two routes over DIFFERENT interfaces, so forget that. In fact the ASA won't even let you define the same route out two different interfaces and will give you an error.

It will load-share across equal-cost routes out the SAME interface though, up to 3 routes can be defined.

Again, my apologies, not sure what I was thinking when I answered that previous question. Probably hadn't had my morning coffee at that stage.

agustinmar Tue, 03/13/2007 - 06:04

Hello Glenn, I have installed a FWSM 2.3(4), PIX 6 similar, and when I change a policy for example and I intend to save the config, the PDM shows this error:

"PDM received an error when one or more of the commands below were sent to the FWSM."

Could you help me please?

Thank you and sorry for my bad English.

Regards

gfullage Tue, 03/13/2007 - 19:29

Does it say what command(s) failed? It should give an ERR or OK next to the commands if I remember correctly. Please post the entire error message and that will give me more information to go on, plus a detailed description of exactly what steps you take to produce this error.

Your English is fine, don't worry about that.

agustinmar Wed, 03/14/2007 - 01:27

Hello Glenn, thank you for all.

I comment to you the problem exactly:

I have two Catalyst 6500 with FWSM each one (the Catalyst have more cards, but I think that these aren't important in this case). The FWSMs are working in failover mode. I had a problem with FWSMs and Oracle servers and a collegue yours said to me that I updated the version. I updated the version from 2.3(1) to 2.3(4). Since I updated the version the error takes place. The error always takes place when I change anything. Moreover, I think that the config isn't saved to the standby FWSM. The error always is the same, it is a window error that it shows the follow:

"PDM received an error when one or more of the commands below were sent to the FWSM."

If you want the configs or anything you solicit these.

Could you help me please?

Thank you for all.

Regards

gfullage Wed, 03/14/2007 - 18:17

Did you upgrade PDM to 4.1(4) at the same time, I would strongly suggest this if you're still running 4.1(1).

http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm

Othe than that, are you saying there is no other messages indicating what commands failed? And you get his error every time you try and submit a command? Any command? That sounds like PDM is just completely messed up, so hopefully the upgrade will fix it. Other than that I'd make sure you're running a compatible Java version and browser version. The release notes indicating compatibilities are here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_41/rel_nts/index.htm

agustinmar Fri, 03/16/2007 - 02:26

Thank you very much for your answer.

I have update the PDM version but the problem persist.

The error is produced when I execute "Save" from PDM, that is, "wr mem". Please, could you help me?

Thank you for all.

Regards

rakeshyadav Tue, 03/13/2007 - 07:30

hi,

i want to connect 1812 cisco router to PDO Server without bypassing the firewall. Is it possible, if yes then how come it is.

gfullage Tue, 03/13/2007 - 17:04

I'm sorry, but I honestly have no idea what you're talking about. What's a PDO server, where is the firewall, how are you bypassing it, what is the setup. I need much more information on your setup and what you're trying to do before I can begin to answer your question.

johnpapad Tue, 03/13/2007 - 08:58

I have a client with a PIX 506e. He is looking to switching ISP vendors. I wanted to run both vendors in parallel, on the PIX 506e. Can I change the configuration so that both vendors can process traffic thought the PIX. The basic idea was to test the configuration before we drop the older vendor. The idea was to get both Routers from the vendor place them on a switch then connect the PIX to the switch, and of course change the config on the PIX to accommodate both segments for testing and validation ... then drop the old vendor if all is well.

acomiskey Tue, 03/13/2007 - 09:07

Hi glenn,

Will there be any improvement to the vpn-filter feature in 8.0? Or will the current implementation at least be more stable? thanks.

gfullage Tue, 03/13/2007 - 17:25

I didn't see any reference to any changes in the vpn-filter implementation in 8.0. What is the problem you're having with it? What code are you currently running? What sort of setup are you using it in (remote client VPN's, L2L, etc).

The big issue everyone had with this command was exactly how to use it properly. There was a bug opened recently to document it better, the docs should say something like the following shortly (if they don't already):

----------------------------------------

Note: A vpn-filter is applied to post-decrypted traffic after it exits a

tunnel and pre-encrypted traffic before it enters a tunnel. An ACL that is

used for a vpn-filter should NOT also be used for an interface access-group.

When a vpn-filter is applied to a group-policy that governs Remote Access VPN client connections, the ACL should be configured with the client assigned IP

addresses in the src_ip position of the ACL and the local network in the dest_ip position of the ACL. When a vpn-filter is applied to a group-policy that governs a LAN to LAN VPN connection, the ACL should be configured with

the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL. Caution should be exercised when constructing the ACLs for use with the vpn-filter feature. The ACLs are constructed with the post-decrypted traffic in mind, however, they are also applied to the traffic in the opposite direction. For this pre-encrypted traffic that is destined

for the tunnel, the ACLs are constructed with the src_ip and dest_ip positions swapped.

Example 1. Using a vpn-filter with a Remote Access VPN client. Assume that the client assigned IP address is 10.10.10.1/24 and the local network is 192.168.1.0/24. The following ACE will allow the Remote Access VPN client to telnet to the local network:

access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23

The following ACE will allow the local network to telnet to the Remote Access client:

access-list vpnfilt-ra permit 10.10.10.1 255.255.255.255 eq 23 192.168.1.0 255.255.255.0

Note: The ACE access-list:

vpnfilt-ra permit 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23

will allow the local network to initiate a

connection to the Remote Access client on any TCP port if it uses a source port of 23. The ACE access-list:

vpnfilt-ra permit 10.10.10.1 255.255.255.255 eq 23 192.168.1.0 255.255.255.0

will allow the Remote Access client to initiate a connection to the local network on any TCP port if it uses a source port of 23.

Example 2. Using a vpn-filter with a LAN to LAN VPN connection. Assume that the remote network is 10.0.0.0/24 and the local network is 192.168.1.0/24. The following ACE will allow remote network to telnet to the local network:

access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23

The following ACE will allow the local network to telnet to the remote network:

access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0

Note: The ACE access-list:

vpnfilt-l2l permit 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23

will allow the local network to initiate a

connection to the remote network on any TCP port if it uses a source port of 23. The ACE access-list:

vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0

will allow the remote network to initiate a

connection to the local network on any TCP port if it uses a source port of 23.

----------------------------------------

Actions

This Discussion