This discussion is locked

ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Unanswered Question
Sep 24th, 2010

Welcome  to the Cisco Networking  Professionals Ask the Expert conversation.  This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen.  Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.

Remember to use the rating system to let Magnus know if you have received an adequate response.

Magnus might not be able to answer each question due to the volume expected   during this event. Our moderators will post many of the  unanswered  questions in other discussion forums shortly after the  event. This  event  lasts through October 8, 2010. Visit this forum  often to view  responses  to your questions and the questions of other  community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
Acruzgreg Fri, 09/24/2010 - 15:05

ASA PHONE PROXY

hello,

I have a cuestion I need configure asa proxy phone but this asa apliance radicate in DMZ network

is posible configure this aplication in this design?

regards

Magnus Mortensen Fri, 09/24/2010 - 16:42

Angel,

     I wish I had good new for you, but unfortunately a NAT router/firewall in front of a Phone Proxy ASA is not supported.  Phone Proxy requires publicly routable addresses for both signaling and media termination as a result implementation you are trying to setup will most likely not work. Many customers implement a standalone phone proxy ASA in parallel to the existing firewall in the network. The ASA would have interfaces on the outside Internet segment as well as on the inside subnet. Would you be able to place the Phone Proxy ASA in such a fashion? If you go down that path, then all you need to do to make sure routing isn't a problem is to use ASA version 8.2 or later and run per interface MTA along with some NAT tricks in order to make sure that traffic destined for the proxied phones goes through the proxy asa and not through the other firewall.

- Magnus

sean_evershed Sun, 09/26/2010 - 04:23

Hi,

I was wondering when the next TAC Security Podcast was going to be released?

Thanks

Sean

Magnus Mortensen Mon, 09/27/2010 - 06:44

Sean,

     For Episode 14, we changed how/where we are doing the recordings, so it is taking us a little bit of time to re-tool/edit and release this latest podcast. We hope to have it up and running soon. Thanks for listening!


- Magnus

paveldimow Sun, 09/26/2010 - 07:48

Hello,

I am working on project that involves CAT6K with ACE and FWSM modules (one ACE and two FWSM modules per physical chassis). I want to run FWSM in routed mode but according to docs FWSM in VSS does not support RHI.

I was wondering if RHI will be supported in this setup anytime soon?

One "workaround" is to put ACE before FWSM so in that case FWSM lack of RHI support does not present a problem.

Is this valid scenario?

Magnus Mortensen Mon, 09/27/2010 - 05:30

Pavel,

     We see this question come up from time to time. There are some documents out there that incorrectly state that VSS and RHI do not work together. From FWSM version 4.0.4 onwards, RHI is supported in VSS.You can get more information about supported chassis code for VSS and RHI here:

FWSM 4.1.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html#wp161314

FWSM 4.0.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/release/notes/fwsmrn40.html#wp161314

If you are running FWSM 4.0.x and this is a new installation, you should run the latested 4.0.x image in order to get around bugs like:

CSCsz13933 - RHI:FWSM inject routes to MSFC even after state change from act to stdby (Fixed in 4.0.6 and beyond).

If you could, can you please provide a link to the documentation that noted it was not supported.

- Magnus

Magnus Mortensen Tue, 09/28/2010 - 17:45

Pavel,

     Thanks for the link. I will follow up and get that corrected if need be.

- Magnus

huangedmc Sun, 09/26/2010 - 14:17

How does ASA in routed mode handle received multicast packets when there's no mroute in its routing table?

We have hosts sending packets towards 224.2.0.8 on our network.

Since we don't have multicast set up, switches simply forward them as broadcast.

What does the ASA do w/ these packets?

Is it smart enough to know these are multicast packets, and drop them since there's no mroute, or does it forward on according to the default route,as if it's a normal L3 packet?

Magnus Mortensen Sun, 09/26/2010 - 15:32

Kevin,

     The firewall, being a security device, will drop those packets. I went ahead and verified this here in my lab, and without a mroute, the traffic is dropped.

- Magnus

jorgeangelalvar... Mon, 09/27/2010 - 23:39

I have a 6500 with VSS FWSM and ACE.

I suggest to not to use RHI.

I find 2 errors on plattaform:

- Wrong RHI in failover between FWSM (I use 4.1).

- Wrong RHI in VSS and ACE (inject wrong next-hop on VSS).

Then I suggest to go with static route. KISS.

Bye.

Magnus Mortensen Tue, 09/28/2010 - 18:16

Jorge,

     Most of the bugs that manifest as RHI routes not being removed after failover should be fixed in the 4.1.x versions. It may be worth opening a case so we can ID a bug (worst case, file one) so we can improve the feature.

- Magnus

gdspa Mon, 09/27/2010 - 00:51

Hi Magnus,

I have a question about DAP on Cisco ASA 5510.

Our firewall: ASA5510 8.2(1)11

When I try to connect from the LAN to the vpn client (ipsec) I receive a message of Authorization denied for user 'unknown' because of the DAP applied to the vpn connection.

This is the log I have:

6    Sep 24 2010    09:39:32    109025    Server    1648    10.26.0.2    9595    Authorization denied (acl=DAP-ip-user-0076860E) for user '' from Server/1648 to 10.26.0.2/9595 on interface inside using TCP

where 10.26.0.2 is the ip address of the vpnclient.

In the dap I added an acl that permits traffic from the Server to the vpnclient network, and from dap trace I see that this acl is applied to the connection.

Can you make me any suggestion?

andrea.meconi@c... Mon, 09/27/2010 - 06:19

Hello.

I need some help about FWSM running software version 4.1(1) and Device Manager Version 6.2(1)F.

Using ASDM, at first time, when selecting NAT from Firewall menù, or Access Rules page appears after one minute!

Why?

I'm registering this issue afte the ASDM upgrade.

Thannks.

Regards.

Andrea

Magnus Mortensen Tue, 09/28/2010 - 18:01

Andrea,

     I'm not sure what that could be causing off the top of my head. One thing that may be worth looking into is the Java Console in ASDM. You can access the console from the Tools menu in ASDM. Based on the fact that it takes about a minute, I think that some other operation may be timing out or erroring out. Do you see anything stand out in the Java Console?

- Magnus

pushpendrayadav Mon, 09/27/2010 - 12:16

Hi,

We are using Cisco PIX 515 E (Cisco PIX Firewall Version 6.3(5)). We configured few IPs for Polycom videoconferencing. but We are facing the issue wth call drop.

for few customers Phone rings and then disconnects without any talk. for few of the customers it works for 20 seconds and then disconnects.

Please help me to get the Solution for this.

allowed TCP and UDP Ports for this applications:

description TCP H323-H225
  port-object eq h323
  port-object eq 1719
  port-object eq https
  port-object range 3230 3237
  port-object eq ldap


  description UDP H323-H225
  port-object eq 1720
  port-object eq 1719
  port-object eq 443
  port-object range 3230 3237
  port-object eq 5222

Attachment: 
jorgeangelalvar... Mon, 09/27/2010 - 23:36

Umm It sound like RTP stream can't reach Polycom (audio stream).

Do you are using Gatekeaper?

If Polycom start call, does it work??

I think that it work for 20 seconds can be that match any session exist.

Magnus Mortensen Tue, 09/28/2010 - 18:30

Pushpendra,

     I have seen issues with Polycom and the PIX that manifest as dropped packets as a result of some IP options. If you enable Debug Level Syslogs, do you see and logs related to the endpoints in question? Any logs indicating dropped packets and the like? In some cases, as a result of protocol incompatibility, we need to disable the fixups and simply permit the traffic with ACLs. That may be worth testing, but with the old 6.x code, you can only enable/disable the fixup globally, you have no granular control. With that in mind, a move to 7.2.5 may be of some value so you can get the better/advanced inspections, but also the ability to use MPF to selectively disable certain fixups (inspections) for certain flows.

- Magnus

besitec2003 Tue, 09/28/2010 - 07:53

Hello Magnus,

I have some problems to understand the management function.

asa1---transnet1---isp_router---vpn---isp_router---transnet2---asa2---mangement interface

I try to connect from asa1 network to asa2 management interface but it is not working.

I get this log msg from the log viewer:

I can only access the asa2 from the transnet2 site .

I added this commands to the asa2

- management-access management

- http 172.20.0.250 255.255.255.255 NicTrans_outside

- ssh  172.20.0.250 255.255.255.255 NicTrans_outside

But with no success. Do you have any idea for me?

Many thanks

Timo

Magnus Mortensen Tue, 09/28/2010 - 18:22

Timo,

     The Managment access command is only for when you are coming over a VPN tunnel that terminates on that ASA. As it notes in the documentaion for that command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

"To allow management access to an interface other  than the one from which you entered the adaptive security appliance when  using VPN, use the management-access command in global configuration mode."

If you are not coming over a VPN tunnel that terminates on the ASA, then the only way to access that ASA from locations behind the NicTrans_outside interface, would be to connect to the NicTrans_outside IP address and not that of the management interface.

- Magnus

viacheslav.k Wed, 09/29/2010 - 00:23

Hi Magnus,

My question is connected with IPv6 routing and ASA.

My simple network topology:

PC======ASA 5520=======Router 2801

I've assigned following IPv6 Subnets:

PC-ASA:

Network is 2001::3000:100:/104

ASA has 2001::3000:101:1/104

PC has 2001::3000:133:136/104 (default gateway is 2001::3000:101:1)

ASA-Router:

Network is FC00:1::/32

ASA has FC00:1::1/32

Router has FC00:1::101/32 (default gateway is FC00:1::1)

PC can ping it's IPv6 gateway

Router can ping it's IPv6 gateway

The problem is that PC can't ping (establish tcp connections, etc) Router and vice versa.

ASA can ping both of them.

When I use 'packet-trace' command on ASA it says that connections are allowed.

PC firewall is disabled. Router has not any IPv6 access-list.

ASA has two IPv6 access-list for both interfaces with following rules:

permit ip any any

permit icmp any any

I also used commands 'ipv6 icmp permit any INT1' and 'ipv6 icmp permit any INT2'.

What is the problem of my situation? why PC and Routers can't communicate?

I thought that I have to enable IPv6 routing on ASA, but I do not know how to do this.

When I do 'show ipv6 interface' I get:

INT1 [up/up]

.....

INT2 [up/up]

My head is going to blow up.

Help me, please

P.S. ASA firmware is 8.2. PC is Windows 7. Router is 12.4.

sding2006 Wed, 09/29/2010 - 13:40

Hi Magnus,

We have deployed MPLS, and have several L3VPN, we are using a routed context from a single FWSM in Catalyst 6500 with static route to communicate between global routing table and vrf routing table. With more and more L3VPN added, we want to add redundancy/failover to our design.

I am thinking of using a pair of FWSM in separate catalyst 6500 chasis with firewall failover and HSRP for outside vlan and inside vlan,outside vlan connecting to global RT, inside vlan connecting to vrf RT.

basically global table will have static route of vrf address space pointing to active outside IP of the FWSM context,

FWSM context  outside vlan will have staitc route of default pointing to HSRP active in the global RT.

FWSM context  inside vlan will have static route of vrf address space pointing to HSRP active in the vrf RT,

then in the vfr RT, default static to FWSM context inside active.

Is this kind of setup supported? what's your recommendation to add redudancy/failover?

Thanks,

Shiling

Magnus Mortensen Wed, 09/29/2010 - 20:04

Shiling,

     If my interpretation of your network design is right, this should be just fine. This is the basic concept of inter chassis failover. With this design if the Primary FWSM in Chassis A fails, the Secondary FWSM in Chassis B will take over. When the FWSMs fail over the active HSRP interface do not failover. So when we are running through the Secondary FWSM, the traffic will flow through the Chassis A VRF, over the trunk on the INSIDE VLAN to the Secondary (now Active) FWSM in Chassis B, through the FWSM and then back over the trunk on the OUTSIDE VLAN to Chassis A to be routed by the Global Routing table. This design will provide redundancy for the FWSMs.

More information can be found here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1125008

- Magnus

great@posdata.co.kr Wed, 09/29/2010 - 19:33

Hello!

I have a question about h.323 version 5 and 6 support of ASA/FWSM.

We have a plan to set up a video conferencing system on our network.

There is some problems with a H323 Video Codec.

I am wondering  about the ASA, FWSM version for the enhencement of H323:Version 6 support  (CSCsk67454).
Could you let me know what the exact version of ASA, FWSM has  the enhencement?

Thanks.

Magnus Mortensen Wed, 09/29/2010 - 20:29

Hi,

     I had to dig around a bit to double check  but from what I can see this was integrated into ASA code version 8.2.1 so moving to 8.2.3 would make sense and also provide the most bug fixes in the 8.2.x code train. Unfortunately I do not see any plans to add h323 v6 support to the FWSM platform at this time. The FWSM, if v6 traffic passes through, will have the version downgraded to version 4 and extra fields removed.

- Magnus

MarcioMinicz Thu, 09/30/2010 - 17:27

Hello,

I know that we can implement ASA failover A/A or A/S, and that we can implement redundant interfaces. I know that each equipament has a value to MTBF. What I like do know is how better is A/S implemented with redundant interface compared with A/S without redundant interface (may be in percentage).

Regards

Marcio Minicz

Magnus Mortensen Sun, 10/03/2010 - 07:27

Marcio,

     I do not think I have seen any MTBF numbers for interface failures, but we (TAC) rarely see cases come in where an interface has failed. Usually the failures are chassis level failures (wont boot/power up/etc). As a result I can only assume that the interfaces have a higher MTBF so with/without redundant interface wouldn't make a difference. THe redundant interface setup could help protect you from failurs of the attached switches, but it won't get you much on the ASA itself.

- Magnus

MarcioMinicz Mon, 10/04/2010 - 15:08

Thank you for your answer.

Marcio Minicz

coomera10 Thu, 09/30/2010 - 17:47

Hi Magnus,

      my question is fairly simple (hopefully) for you to answer.....

How is it possible to export the rule set on Cisco ASA firewalls? and what formats can you export the rules in? Excel (.csv , .xls etc)

Thanks in advance

Magnus Mortensen Sun, 10/03/2010 - 07:49

Hi,

     You can export the Access-list rule configuration page of ASDM. In ASDM go to 'COnfiguration' -> 'Firewall' -> 'Access Rules' and click on the EXPORT button in the bar above the rule table. Options include HTML or CSV. I just tested this on my ASA 8.3.x/ASDM 6.3.x and ASA 8.2.x/ASDM 6.2.x setups and it seems to export a CSV file just fine.

- Magnus

MSAD_ADMIN Thu, 09/30/2010 - 18:11

We have 2 pairs of ASAs (5520), each pair is in Active/Active mode, I noticed that the failover IP gets the same Automatic MAC address ( /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";} 1200.0200.0400) on both pairs. Is this normal behavior? If this gives me MAC flapping when connecting the mentioned ports to same management zone, is the solution is to assign manual MAC addresses?

Magnus Mortensen Sun, 10/03/2010 - 08:00

Mohammed,

     It sounds like you may want to look into use the 'mac-address auto prefix' command. This commane was first put into ASA code in version 8.0.5 and the goal is make the mac-address auto generated more unique so you could have multiple ASAs without MAC conflict. More information about this command can be found here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1973105

- Magnus

NAGISWAREN2 Thu, 09/30/2010 - 18:42

Hi Magnus,

My office have one Cisco ASA 5510. I've notice in firewall dashboard tab, there is scanning attack and syn attack. Its always have numbers of attack there.. average 4 attacks.Is there any possibility to know who doing attack and how to stop them?

And beside that, the TOP 10 Protected Server Under Syn Attack is showing as below

server:port                     Interface         | total          Source IP

---------------------------------------------------------------------------------------------------------------

Outside Server IP:23         inside          |  60            My inside server IP

Does this means My inside server attack outside Server on port 23 ? Any idea ? Please advice.

dipak.timsina Mon, 10/04/2010 - 06:52

Hi,

I've configured ipsec vpn on cisco sa520  with fortigate router. Phase 1 and Phase 2 configuration all okay but ipsec tunnel isn't up. In ipsec vpn logs i got these -

2010-10-04 14:42:03: INFO:  Received Malformed packet of payload length 41726 and total length 72.
2010-10-04 14:42:07: INFO:  Received Malformed packet of payload length 41726 and total length 72.
2010-10-04 14:42:12: ERROR:  Ignore information because ISAKMP-SA has not been established yet.
2010-10-04 14:42:12: INFO:  Configuration found for 212.16.98.190[500].
2010-10-04 14:42:12: INFO:  Received request for new phase 1 negotiation: 22.16.221.227[500]<=>212.16.98.190[500]
2010-10-04 14:42:12: INFO:  Beginning Identity Protection mode.
2010-10-04 14:42:12: INFO:  Received Vendor ID: DPD
2010-10-04 14:42:14: ERROR:  Phase 1 negotiation failed due to time up for 212.16.98.190[500]. b43474085f0471b9:03022b503977fbba
2010-10-04 14:42:14: INFO:  Received Malformed packet of payload length 55242 and total length 72.
2010-10-04 14:42:15: INFO:  Received Malformed packet of payload length 25961 and total length 72.
2010-10-04 14:42:19: INFO:  Received Malformed packet of payload length 25961 and total length 72.

What does this mean?

kathy-kat Wed, 10/06/2010 - 10:09

Hello!!

I have some problems with authentication into FWSM, if i try to do from CLI through of Catalyts 6509, this happens:

509_CORE_A#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ... Open


User Access Verification

Password:
Type help or '?' for a list of available commands.
FWSM-A> ena
Command authorization failed
FWSM-A>

Any idea??

jorgeangelalvar... Wed, 10/06/2010 - 11:24

Ummm It's seem to be aaa authorization command CONSOLE that point to Radius or TACACS server. Do you have correct persmissions to be on "enable mode"?

Good luck

Magnus Mortensen Wed, 10/06/2010 - 14:10

Katherine,

     Depending on the FWSM version and configuration there are different ways to control the AAA when sessioning down from the chassis...

- If you are in single mode, you can control the sessioning to the module with 'aaa authentication telnet console xxx' line

- If you are in multiple mode running code 3.2 or later, you can control the authentication used for sessions by using the 'aaa authentication telnet console xxx' in the *admin* context.

- If you are in multiple mode running code earlier than 3.2, you may be a bit out of luck.

If you are in multiple mode and running 3.2 or later, do not use the 'enable' command after logging in, instead use the 'login' command. That will allow you to keep the authenticated username as you transition between contexts.

- Magnus

reymon_012 Thu, 10/07/2010 - 06:51

Hi Magnus,

I have some few questions regarding ASA and FWSM:

- I know that multicast is not supported when running in multi-context mode, but is there a workaround or road map to support this feature?

- i want to implement fwsm in separating DC, inside users,dmz, customers, outside network from each other. what mode that you recommend to use if i use multicast for all this network?

- is it true that ASA 5580 has greater functionality than fwsm?

-can VSS w/ FWSM support multi-context mode?

thanks in advanced!

cheers,

mhon

ROBERTO TACCON Thu, 10/07/2010 - 09:17

Hi Magnus,

how can I configure a pix Version 8.0(4) to NOT block the LAND ATTACK ?

pix# sh log | i 17.12.18.24

Oct 07 2010 15:47:31: %PIX-2-106017: Deny IP due to Land Attack from 17.12.18.24 to 17.12.18.24

Oct 07 2010 15:47:31: %PIX-6-302014: Teardown TCP connection 1264706965 for outside:17.12.18.24/80 to inside:10.12.40.114/59790 duration 0:00:00 bytes 0 looping-address

I've already disable the signature 1102

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1102&signatureSubId=0&softwareVersion=6.0&releaseVersion=S473

pix# sh run | i audit

ip audit signature 1102 disable

pix#

but the drop continue ....

pix# sh log | i 17.12.18.24

Oct 07 2010 15:50:22: %PIX-2-106017: Deny IP due to Land Attack from 17.12.18.24 to 17.12.18.24

Oct 07 2010 15:50:22: %PIX-6-302014: Teardown TCP connection 1264706965 for outside:17.12.18.24/80 to inside:10.12.40.114/59891 duration 0:00:00 bytes 0 looping-address

I think (as I have caputerd all the traffic inside and outside interfaces and I can't see any src-dst same IP) the problem is pix bug

The questions are:

- how I can DISABLE on the pix the "Deny IP due to Land Attack" ?

- is the following the correct command do disable the LAND ATTACK "ip audit signature 1102 disable" ?

- how can i capture ONLY the ASP DROP packets ?

Thanks

Roberto Taccon

huangedmc Fri, 10/08/2010 - 07:12

I have a question about NAT on ASA's.

There are three interfaces on the ASA: inside, DMZ, & outside

Two static NAT's already existed:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

When we tried to add a new NAT statement, we got an error:

ASA(config)# static (DMZ,outside) 10.28.16.0 10.28.16.0 netmask 255.255.255.0
WARNING: mapped-address conflict with existing static
  inside:10.0.0.0 to outside:10.0.0.0 netmask 255.0.0.0

Why did we get this error/warning?

Is it just cosmetic, and NAT would still work properly, or should we change our configuration?

We have a bunch of 10.x.x.x subnets on the inside network, which is why we had to "summarize" it as 10.0.0.0/8.

We utilize 10.28.16.0/24 in our DMZ, and want to make some of the devices accessible by devices on our external edge network, thus the DMZ to outside nat.

We want to achieve this w/o having to NAT to different external IP's, which is why we're doing the NAT this way.

Actions

Login or Register to take actions

This Discussion

Posted September 24, 2010 at 10:38 AM
Stats:
Replies:40 Avg. Rating:5
Views:8592 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446