ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Unanswered Question
Nov 14th, 2008
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot Cisco Adaptive Security Appliances (ASA) with Cisco expert Srinivas Mallu. Srinivas is a senior customer support engineer in high touch technical support (HTTS) within the technical assistance center (TAC). He has a double CCIE in routing & switching and security (CCIE# 8914). Srinivas has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, security on IOS, IPSec, ACS and IDS. He also trains people on his team on security technologies.


Remember to use the rating system to let Srinivas know if you have received an adequate response.


Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 21, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (5 ratings)
Loading.
John Blakley Fri, 11/14/2008 - 12:30
User Badges:
  • Purple, 4500 points or more

I've noticed on some ASAs that I've worked on that they don't use a global statement:


global (outside) 1 interface


They do have nat statements:


nat (inside) 0 access-list-name


Does this effectively disable natting, and would this be the recommended way of setting an internal firewall that doesn't have public IPs?


Thanks!

John

Jon Marshall Fri, 11/14/2008 - 15:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Yes it does disable NAT for anything that matches in the access-list. You don't need a global because the nat (interface) 0 is a special nat instance meaning leave as is.


Depends what you mean about an internal firewall. If you mean one used completely internally to the company ie. no internet access then yes you could use this and it would make sure that any clients on the inside interface of the firewall wouldn't be natted as they initiate connections through the firewall.


Jon

smallu Fri, 11/14/2008 - 15:26
User Badges:
  • Bronze, 100 points or more

Good answer Jon!!

smallu Fri, 11/14/2008 - 15:19
User Badges:
  • Bronze, 100 points or more

John,


The Global(outside) command defines a NAT pool that internal hosts use when going out to the Internet. This command is not necessary when you are explicitly denying NAT, using the NAT(inside) 0 command. Its presence does not make a difference.


Its upto the users discretion whether he wants to use that command or not. As a general recommendation, we suggest you not configure this when you don't have NAT configured.


NAT (inside) 0 command effectively disables any NAT'ing from inside to outside, for the traffic that matches the ACL. This is the recommended way of configuring NO NAT.


Hope this helps! Let me know if you have any questions.


Thanks,

Srinivas.


John Blakley Fri, 11/14/2008 - 18:25
User Badges:
  • Purple, 4500 points or more

My next question is:


We had a discussion the other day about the direction of static nat and how the private network statement works:


static (inside, dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


This says to have the inside present itself as 192.168.0.0 to the dmz network.


But why would I have:


static (inside,inside) 192.168.1.2 10.20.1.5 netmask 255.255.255.255


Where would this traffic be going exactly?


Thanks!

John

smallu Mon, 11/17/2008 - 11:20
User Badges:
  • Bronze, 100 points or more

John,


Great question. By default, the ASA does not redirect traffic out the same interface, like a router. Normally, either the traffic goes through the firewall or gets dropped.


With the static command, which creates a conduit to same security interfaces, allows the ASA to redirect traffic out the same interface.

However, for this hairpinning feature to be enabled, you also need the global command;


same-security-traffic permit intra-interface


The first command, NAT's any traffic on the DMZ destined for 192.168.x.x to the inside interface.


With the second command, the firewall NAT's any traffic that it receives on the inside interface destined to 192.168.1.2, out the same interface to the 10.20.1.5 server.


Here is a good reference for this feature;

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2


Hope this helps!


Thanks,

Srinivas.

ajinc Sat, 11/15/2008 - 04:03
User Badges:

I have a 2801 router in my one of corporate office, which i have configured NBAR with MQC. I need to bloclk peer to peer application like bittorrent.


But router is not able to block bittorrent traffic, other peer to peer can block. version of bittorrent is 6.1.2 and IOS version is 12.411T4.

xxxx#sh policy-map int fa 0/0


Service-policy output: Block_P2P


Class-map: Block_P2P (match-any)

46481 packets, 5112152 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol fasttrack

1120 packets, 73977 bytes

5 minute rate 0 bps

Match: protocol gnutella

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol kazaa2

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol edonkey

22098 packets, 2576056 bytes

5 minute rate 0 bps

Match: protocol winmx

1856 packets, 193880 bytes

5 minute rate 0 bps

Match: protocol bittorrent

0 packets, 0 bytes

5 minute rate 0 bps

drop

smallu Mon, 11/17/2008 - 12:10
User Badges:
  • Bronze, 100 points or more

Hi There,


This forum is for ASA Questions. However, let me take a stab at this and answer your question to the best of my knowledge.


BT supports TCP and HTTP protocols. BT use TCP port from 6881 to 6889 to login, search and download files.


If the TCP ports from 6881 to 6889 are all blocked, then BT will use HTTP port 80 to download files.


If you block TCP port 80, you may be blocking some essential traffic. Because BT can communicate via HTTP and can switch port automatically, so you can not block them only by disabling the ports in the firewall. And BT has no central server, also can not block it by blocking server ip address. So the only way is using professional tools to block Bitorrent.


Hope this helps!


Thanks,

Srinivas.

Hi Srinivas.

I need to limit the access to a web server at specific hours, using an ASA with software version 7.1.

I believe I can use a service policy like this:


time-range limited-hours

periodic weekdays 13:00 to 15:00



access-list acl-web-server permit tcp host proxy1 host web-server eq http time-range limited-hours

access-list acl-web-server permit tcp host proxy2 host web-server eq http time-range limited-hours



class-map class-map-web-server

description traffic to and from web-server

match access-list acl-web-server

policy-map policy-web-server

description rate limit web-server (bits per second)

class-map web-server

police output 1000000 37500

service-policy policy-web-server interface outside


What do you think about this?

Many thanks for your help.

Regards.

Andrea.

smallu Mon, 11/17/2008 - 12:16
User Badges:
  • Bronze, 100 points or more

Andrea,


The configuration you put up here is just all what you need.


Alternatively, you can also apply the ACL to any interface, using an access-group where you are going to see the traffic, that you want to apply this rule for, instead of defining it using a global policy.


Hope this helps!


Thanks,

Srinivas.

sarikareddy Sun, 11/16/2008 - 11:13
User Badges:

hello there,

i would like to know if we could ping from the headend devices(which would be asa boxes) in site-to-site vpn to the private devices behind the peer. I mean from the ASA to the other end ASA's private network behind it.


Thanks in advance.

sarika

smallu Mon, 11/17/2008 - 12:28
User Badges:
  • Bronze, 100 points or more

Hi Sarika,


Great question! If this was a router, I would say probably yes, by using policy routing.


However, this is not possible with an ASA by design.


Hope this answers your question.


Thanks,

Srinivas.

John Blakley Mon, 11/17/2008 - 12:40
User Badges:
  • Purple, 4500 points or more

Srinivas,


It should be possible to ping devices on the other end of a tunnel that's terminated between two ASAs. They just need to disable NAT for the networks that are allowed to cross the tunnel. As for being able to ping the inside interface of the ASA from the opposite side, that can't be done.


--John

smallu Mon, 11/17/2008 - 13:08
User Badges:
  • Bronze, 100 points or more

Yes. This is possible. It requires some adjustment in the config. You have to have the Outside IP of the ASA included in the interesting ACL. Also, requires some tweaks in the routing.

acomiskey Mon, 11/17/2008 - 12:48
User Badges:
  • Green, 3000 points or more

Srinivas,


I believe this is possible. All you need to do is include the outside ip of the ASA in the interesting traffic crypto acl for the tunnel. I do this all day long for syslogging from ASA over vpn tunnel to a local syslog server.

smallu Mon, 11/17/2008 - 13:06
User Badges:
  • Bronze, 100 points or more

Yes. You're correct! I just tested this.

smallu Mon, 11/17/2008 - 13:11
User Badges:
  • Bronze, 100 points or more

I have things mixed up here. I was thinking along the lines of inside interface ip address and of the remote ASA.


This can be done, and here is what it takes;


* Include the outside ip address of the ASA in the interesting ACL.

* NAT the private traffic to the outside IP address of the ASA

* Have routing setup in such a way that, when you initiate a ping, it knows which interface it needs to go out of.


Hope this helps!


Thanks,

Srinivas.

Hi Srinivas,


I'd like to pay your attention to the Bug related to the ASA->SSM communications.


Scenario: NAT is configured on the ASA between the inside and outside interfaces. IPS policy is applied to the outside interface or globally.


BUG details: for ICMP attacks (such as 2150), passing from the inside to the outside, the alert contains public (NATed) IP address as the Src IP, which is not correct. For TCP (such as 5081) the alert contains private IP address as the Src IP, which is correct.


Note: this may depend on signature engine, not the protocol (ICMP/TCP, etc.)


This probably happens because ASA doesn't pass pre-NAT packet IP header to the SSM along with the actual data packet. The data packet itself always contains post-NAT IP header (i.e. public IP address).


In brief (global policy):


TCP in->out ACL: priv Alert: Priv

ICMP in->out ACL: priv Alert: Pub


Also, the fact that the SSM log (log-pair-packets) contains pre-NAT (private) IP address for packets going outside->inside and post-NAT (public) IP address for packets going inside->outside is little bit misleading too.


This has been tested on 8.0.4. Does this bug have BugID assigned?



new_networker Mon, 11/17/2008 - 09:25
User Badges:

Hi Srinivas,


Could please state the difference between ASA Firewall Edition and ASA VPN Edition.


Thanks

smallu Mon, 11/17/2008 - 13:32
User Badges:
  • Bronze, 100 points or more

Hi There,


The main difference between the two editions is in the feature bundles they come with. However, the functionality is the same.


The firewall edition supports only 2 concurrent SSL VPN Peers. The VPN edition supports anywhere from 25-10,000 concurrent SSL VPN Sessions, based on the hardware.


Here is the Firewall edition Overview;

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8048dba8.html


VPN Edition Overview;

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html


Hope this helps!


Thanks,

Srinivas.

elecorbalan Wed, 11/19/2008 - 13:39
User Badges:

Hi,

I need to configure an DHCP server to send IP address to the hosts connected by VPN. The DHCP server is a different equipment from ASA. How can I manage this?

mlenco Fri, 11/21/2008 - 07:33
User Badges:

Srinivas

I need clarification on configuring WCCPv2 on an ASA.

The ASA 8.1 configuration guide states.

"WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive

security appliance supports is when client and cache engine are behind the same interface of the adaptive

security appliance and the cache engine can directly communicate with the client without going through

the adaptive security appliance."


Do we need to have a switch hanging off an ASA interface (INSIDE) with the web cache device and host PCs terminating on that switch? If that is the case then I perceive traffic going into the INSIDE interface needs to be redirected to another interface as traffic leaving the INSIDE LAN cannot return on the same interface.


smallu Fri, 11/21/2008 - 11:33
User Badges:
  • Bronze, 100 points or more

Hi There,


Your assessment is correct on this. However, just to clarify, Hairpinning is supported on the ASA. What that means is, you can redirect traffic out the same interface,


1) by enabling hairping. Here is a good reference

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114


2) and configuring static (inside, inside) which maps to the same interface.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2



Hope this helps!


Thanks,

Srinivas.


smallu Mon, 11/17/2008 - 12:36
User Badges:
  • Bronze, 100 points or more

Hi There,


Thanks for bringing this to our attention. I don't see a bug filed for this issue.


However, I would recommend that you open a TAC case, so that the BU is engaged and they work on fixing this issue. It helps us track the bugs.


Thanks,

Srinivas.

Anonymous (not verified) Mon, 11/17/2008 - 11:43
User Badges:


John Blakley Mon, 11/17/2008 - 13:49
User Badges:
  • Purple, 4500 points or more

Is there a way that I can log IP address assignments from a VPN local pool on the ASA to a syslog server? Currently I'm logging notifications to my syslog, but these type of messages don't get logged. If I do a sh vpn-sessiondb detail remote, I can see what address the user was assigned.


I do authenticate to a RADIUS server, so if I enabled accounting, would there be an AV pair that I would need to send back to the ASA?



Thanks!

John

smallu Mon, 11/17/2008 - 17:07
User Badges:
  • Bronze, 100 points or more

John,


You should be able to log the IP address assignment to clients. To be able to log this, you have to set the logging to Information(level 6).


This is the syntax for this syslog message;

%ASA-6-737026: IPAA: Client assigned ip-address from local pool


When using RADIUS server, you should have the cisco av-pair, "framed-ip-address", that you'd need to send back to the ASA.



Hope this helps!


Thanks,

Srinivas.

Wolfgang Fuerst Tue, 11/18/2008 - 05:48
User Badges:

We will use the Cisco 2811 with the "Advanced Enterprise Service"-Software and have the create about 1000 C-Tunnels (IP over OSI). Are there any experience, how many C-Tunnel can be configured withih the router? Wolfgang Fuerst

husycisco Tue, 11/18/2008 - 09:57
User Badges:
  • Gold, 750 points or more

Hello Srinivas,

Welcome and thanks for your time.

My question is about a widely used design and ASA's behaviour.

A webserver in DMZ, a domain controller which has root hints configured for name resolution, is primary DNS server for all hosts, located in inside interface with other domain members, and also is the nameserver for public domain www.xxx.com . Private internal domain and public domain are the same (xxx.com)


global (outside) 1 interface

static (inside,outside) udp interface 53 domaincontroller 53

static (inside,outside) publicwebip privatewebip


A client in internet types www.xxx.com, name resolution request is forwarded to "interfaceip", DC checks the DNS database and returns the "publicwebip", then client can connect to web server successfully. Thats OK!


A client in inside wants to connect the web server in DMZ, as everyone in the globe does, types www.xxx.com. DC checks its DNS zones and finds "publicwebip" and returns to client. Now what happens is...


Firewall initiates a connection with SYN flag set from "interfaceip" to "publicwebip" which are in the same subnet, but connection is dropped because traffic can not enter then exit the same interface. Thats OK too, "same-security-traffic permit intra-interface" is now issued, but that still does not work!


Before coming to actual problem, my questions are

Why does that happen? What is the logical explaination behind this issue? Does that happen only in firewalls?


Now the suggestions for actual problem

1)DNS doctoring: For firewall to be able to intercept the DNS query packet and perform doctoring accordingly and client gets "privatewebip" and connect successfully, DNS server should reside in another interface. Am I right? So that solution doesnt work for this scenario


2)A (Host Record) in DNS server: Host record for www can be created and the privatewebip can be set, and wehenver inside hosts asks for the www.xxx.com, they get the privatewebip and successfully connect to webserver. But since this is also a public name server, somebody in internet will too get privatewebip from name query and webserver wont be accessible from outside.


Any thoughts are appreciated.

I hope my explaination is simple and does not bore you.


Regards

smallu Tue, 11/18/2008 - 12:20
User Badges:
  • Bronze, 100 points or more

Hi There,


Good question! Great suggestions on the possible solutions.


Your suggestions are based on the fact that hairpinning does not work, or routing the DNS query out the same interface does not work.


Now, "same-security-traffic permit intra-interface" only enables hairpinning. Apart from this command, you'll also need a static which says something like this..


static (inside, inside) 192.168.10.1 192.168.10.1


just an example. So, when the DNS server responds back to the query, it hits the inside static, from the inside interface. Since we have hairpinning enabled, the ASA routes it out the same interface to the client. This should work! if you are still having problems, I suggest you double check your config or problem persists open a TAC case.


Coming to the suggestions;


* Same thing here. Hairpinning should work. You'll need that same interface static here also.

* DNS server cannot have private IP's, as it also caters to hosts on the internet, and private ip's are not routable.


Hope this helps!


Thanks,

Srinivas.

smallu Tue, 11/18/2008 - 11:49
User Badges:
  • Bronze, 100 points or more

Hi Wolfgang,


Good question! This forum is primarily for ASA. However, since this is a security related, I'll give it a shot.


There is really no hard limit set by the software, irrespective of the feature set you are using on the number tunnels you can configure. Its really limited by the memory on the router.


Per the 2800 data sheet, it supports upto 1500 tunnels with the AIM-VPN module installed on the router.


You can find more details here;

http://www.ciscosystems.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html


Hope this helps!


Thanks,

Srinivas.

joe-vieira Tue, 11/18/2008 - 09:57
User Badges:

Hi,


Currently we have 2 vpn concentrators configured for clustering. We're replacing them with 2 5520 ASAs. Do we configure them the same way as the concentrators to do vpn clustering?. Do we need the same licensing on both appliances for this to work? Do we need ipsec enabled even though we'll only be using the SSL Anyconnect client?


smallu Tue, 11/18/2008 - 12:39
User Badges:
  • Bronze, 100 points or more

Hi Joe,


Yes. You would configure ASA's the same way. However, keep in mind, the syntax is very different. We recommend that you keep the same exact licenses on both the firewall pairs.

You don't need IPSec enabled for the SSL Anyconnect client to work with ASA.


Here is a sample config;

http://www.ciscosystems.com/application/pdf/paws/99756/asa8.x_anyconnect_vpn.pdf


Hope this helps!


Thanks,

Srinivas.

joe-vieira Tue, 11/18/2008 - 12:45
User Badges:

Thanks this helps.


Also, can you give me a sample config for the vpn clustering for 2 ASAs and using ASDM?


Thanks


vhilario Tue, 11/18/2008 - 10:12
User Badges:

Hello Expert:


I have a 2 cisco asa 5520 and 2 routers 877.


People get VPN connected to the company and needs to get through the ASA, all works like a charm except that, when you come early in the morning none of the users can VPN into the network, and the router needs to be restarted in order to VNP into the network again.


Any ideas ?

smallu Tue, 11/18/2008 - 12:51
User Badges:
  • Bronze, 100 points or more

Hi There,


I am not really clear about the problem with the brief description I have above here.


From what I understood. The users VPN to the 877 router, get connected. From there, they browse the internal network, after being allowed through by the firewall.


Early in the morning, you are not able to connect to the router.


Questions..

* Is the router not allowing inbound connections?

* Or is the firewall blocking the traffic?


First we need to figure out which device is blocking the traffic and debug there.


From what I have, since a reboot of the router helps the situation, I think the router is the culprit here. Please turn on the debugs when you experience the problem, you should be able to figure out the root cause.


debug crypto isakmp

debug crypto ipsec


"Show crypto isakmp sa" should tell you if the tunnel is established. The tunnel is established, if its in 'QM_IDLE' state.


"show crypto engine conn act" should you if the tunnel is encrypting and decrypting packets.


Is there a certain time, you are experiencing this problem. Could be an issue with time based ACL. Just a thought.


I suggest opening a TAC case, incase the above suggestions don't help you.


Thanks,

Srinivas.

j.delossantos Tue, 11/18/2008 - 11:19
User Badges:

Hello.

In configuring Active/Standby on the ASAs, 5520 are what we have, do I have to configure my intended secondary with an IP address on each interface/sub-interface prior to enabling failover?


-or-


Would a single configured interface be sufficient to establish peering?


Second Question:

Can LAN and Stateful failover be on the Management interface of the ASAs?


Thanks

cisco24x7 Tue, 11/18/2008 - 13:08
User Badges:
  • Silver, 250 points or more

Does Cisco ASA support Extended Passive (aka

EPSV) ftp? I have several Linux FTP servers

sitting behind the Pix firewall, running

version 7.0.8 and that ftp just hangs unless

I disable EPSV.



smallu Tue, 11/18/2008 - 16:04
User Badges:
  • Bronze, 100 points or more

Hi There,


There are some known issues with ePSV support in ASA. The support for these commands should be available in later releases.


Alternatively, you can try the following workaround;


Use the following inspect command,

Inspect FTP Strict


instead of

Inspect FTP.


Hope this helps!


Thanks,

Srinivas.


smallu Tue, 11/18/2008 - 13:30
User Badges:
  • Bronze, 100 points or more

Hi There,


You would need to configure IP address and standby IP address on each interface, prior to enabling failover.


For configuration examples, please refer to the following link;

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef


Cisco recommends that you do not use the management interface for failover, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other. The interface for failover must be at least of the same capacity as the interfaces that pass regular traffic, and while the interfaces on the ASA 5540 are gigabit, the management interface is FastEthernet only. The management interface is designed for management traffic only and is specified as management0/0. However, you can use the management-only command in order to configure any interface to be a management-only interface. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.


Hope this helps!


Thanks,

Srinivas.

Anonymous (not verified) Wed, 11/19/2008 - 07:15
User Badges:

Hi,

I have several Cisco 1220 AP's and one of them will not respond (I can only get limited Telnet connection) I believe the firmware on the flash is corupt. Is there a way to take the flash firmware from a working AP and upload it to the bad AP? I cant seem to find any documentation on this process?

Thank you!

smallu Wed, 11/19/2008 - 11:30
User Badges:
  • Bronze, 100 points or more

Chris,


This question is out of scope of the topic of discussion. This discussion is limited to ASA and firewalling. You may want to post this question in the general or wireless related subject area or open a TAC case.


Thanks,

Srinivas.

srue Wed, 11/19/2008 - 11:02
User Badges:
  • Blue, 1500 points or more

With a failover set, if you need to purchase SSL VPN licenses, do you have to purchase the same license for both?

smallu Wed, 11/19/2008 - 11:32
User Badges:
  • Bronze, 100 points or more

Hi There,


That is correct! Both the failover pairs should have the same exact license feature set, apart from having same exact physical configuration and running the same exact software.


Hope this helps!


Thanks,

Srinivas.

prashantb Wed, 11/19/2008 - 23:25
User Badges:

Hi Srinivas,


I have to configure two ASA in clustering for VPN loadbalancing.

Which IOS version is most prefarable for this? 7.2(4) or 8.0(3),VPN Configuration will include Client,Clientless.

Actions

This Discussion