cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13778
Views
20
Helpful
40
Replies

ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

ciscomoderator
Community Manager
Community Manager

Welcome  to the Cisco Networking  Professionals Ask the Expert conversation.  This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen.  Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.

Remember to use the rating system to let Magnus know if you have received an adequate response.

Magnus might not be able to answer each question due to the volume expected   during this event. Our moderators will post many of the  unanswered  questions in other discussion forums shortly after the  event. This  event  lasts through October 8, 2010. Visit this forum  often to view  responses  to your questions and the questions of other  community members.

40 Replies 40

Acruzgreg
Level 1
Level 1

ASA PHONE PROXY

hello,

I have a cuestion I need configure asa proxy phone but this asa apliance radicate in DMZ network

is posible configure this aplication in this design?

regards

Angel,

     I wish I had good new for you, but unfortunately a NAT router/firewall in front of a Phone Proxy ASA is not supported.  Phone Proxy requires publicly routable addresses for both signaling and media termination as a result implementation you are trying to setup will most likely not work. Many customers implement a standalone phone proxy ASA in parallel to the existing firewall in the network. The ASA would have interfaces on the outside Internet segment as well as on the inside subnet. Would you be able to place the Phone Proxy ASA in such a fashion? If you go down that path, then all you need to do to make sure routing isn't a problem is to use ASA version 8.2 or later and run per interface MTA along with some NAT tricks in order to make sure that traffic destined for the proxied phones goes through the proxy asa and not through the other firewall.

- Magnus

sean_evershed
Level 7
Level 7

Hi,

I was wondering when the next TAC Security Podcast was going to be released?

Thanks

Sean

Sean,

     For Episode 14, we changed how/where we are doing the recordings, so it is taking us a little bit of time to re-tool/edit and release this latest podcast. We hope to have it up and running soon. Thanks for listening!


- Magnus

Pavel Dimow
Level 1
Level 1

Hello,

I am working on project that involves CAT6K with ACE and FWSM modules (one ACE and two FWSM modules per physical chassis). I want to run FWSM in routed mode but according to docs FWSM in VSS does not support RHI.

I was wondering if RHI will be supported in this setup anytime soon?

One "workaround" is to put ACE before FWSM so in that case FWSM lack of RHI support does not present a problem.

Is this valid scenario?

Pavel,

     We see this question come up from time to time. There are some documents out there that incorrectly state that VSS and RHI do not work together. From FWSM version 4.0.4 onwards, RHI is supported in VSS.You can get more information about supported chassis code for VSS and RHI here:

FWSM 4.1.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html#wp161314

FWSM 4.0.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/release/notes/fwsmrn40.html#wp161314

If you are running FWSM 4.0.x and this is a new installation, you should run the latested 4.0.x image in order to get around bugs like:

CSCsz13933 - RHI:FWSM inject routes to MSFC even after state change from act to stdby (Fixed in 4.0.6 and beyond).

If you could, can you please provide a link to the documentation that noted it was not supported.

- Magnus

Hi Magnus,

thank you for your answer.

I concluded that RHI is not supported on FWSM in VSS configuration reading the following white paper.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/white_paper_c11_513360.html

The link on the left side says:

FWSM4.0(4): Virtual Switching System (VSS) Integration

Althought I am not native english speaker so maybe I missed the point.

Pavel,

     Thanks for the link. I will follow up and get that corrected if need be.

- Magnus

huangedmc
Level 3
Level 3

How does ASA in routed mode handle received multicast packets when there's no mroute in its routing table?

We have hosts sending packets towards 224.2.0.8 on our network.

Since we don't have multicast set up, switches simply forward them as broadcast.

What does the ASA do w/ these packets?

Is it smart enough to know these are multicast packets, and drop them since there's no mroute, or does it forward on according to the default route,as if it's a normal L3 packet?

Kevin,

     The firewall, being a security device, will drop those packets. I went ahead and verified this here in my lab, and without a mroute, the traffic is dropped.

- Magnus

I have a 6500 with VSS FWSM and ACE.

I suggest to not to use RHI.

I find 2 errors on plattaform:

- Wrong RHI in failover between FWSM (I use 4.1).

- Wrong RHI in VSS and ACE (inject wrong next-hop on VSS).

Then I suggest to go with static route. KISS.

Bye.

Jorge,

     Most of the bugs that manifest as RHI routes not being removed after failover should be fixed in the 4.1.x versions. It may be worth opening a case so we can ID a bug (worst case, file one) so we can improve the feature.

- Magnus

gdspa
Level 1
Level 1

Hi Magnus,

I have a question about DAP on Cisco ASA 5510.

Our firewall: ASA5510 8.2(1)11

When I try to connect from the LAN to the vpn client (ipsec) I receive a message of Authorization denied for user 'unknown' because of the DAP applied to the vpn connection.

This is the log I have:

6    Sep 24 2010    09:39:32    109025    Server    1648    10.26.0.2    9595    Authorization denied (acl=DAP-ip-user-0076860E) for user '' from Server/1648 to 10.26.0.2/9595 on interface inside using TCP

where 10.26.0.2 is the ip address of the vpnclient.

In the dap I added an acl that permits traffic from the Server to the vpnclient network, and from dap trace I see that this acl is applied to the connection.

Can you make me any suggestion?

andrea.meconi
Level 2
Level 2

Hello.

I need some help about FWSM running software version 4.1(1) and Device Manager Version 6.2(1)F.

Using ASDM, at first time, when selecting NAT from Firewall menù, or Access Rules page appears after one minute!

Why?

I'm registering this issue afte the ASDM upgrade.

Thannks.

Regards.

Andrea

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: