This discussion is locked

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failover on ASA Firewall

Unanswered Question
Jun 20th, 2011

Read the bio with

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn expert tips on how to configure and troubleshoot Network Address Translation (NAT) and Failover on Cisco ASA Firewalls with Cisco Expert Amitashwa Agarwal. Amitashwa is a senior customer support engineer  and technical lead at the Cisco Technical Assistance Center in Bangalore, India. He works with the Security Firewall team, where his areas of expertise include configuring and troubleshooting issues related to firewall, VPN, and AAA technology. He holds a bachelor's degree in computer science from the University of Pune, India, and holds CCSP and CCIE certifications in Security (#22164).

Remember to use the rating system to let Amitashwa know if you have received an adequate response.

Amitashwa might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (8 ratings)
dianewalker Mon, 06/20/2011 - 09:58

Amitashwa,

We have two ASA's 5540.  We are setting up Load Balancing (Active/Active). Load Balancing works great with Cisco VPN client.  However, is it possible to setup Load Balancing for Site-to-Site VPN?

Thank you.

Diane

amitaaga Mon, 06/20/2011 - 20:30

Hi Diane,

Based on the description that you have provided it is more of a question related to VPN load balancing rather than Active/Active failover on ASA. However, to answer your query VPN load-balancing/clustering is only supported for remote access WebVPN and IPSec on ASA. It is unfortunately not supported for Site-to-Site VPN on ASA.

Let me know in case of further questions or concerns.

Regards,

Amitashwa

luismorales31 Mon, 06/20/2011 - 10:34

Greeting,

We have two ISP connected to an ASA 5510 and we have configured one as the primary and the other one as a backup. I'd like to know if there is a way that, with the ASA, we can do load balancing across both ISPs.

Thanks in advanced,

Luis

amitaaga Mon, 06/20/2011 - 21:29

Hi Luis,

Load-balancing using dual-ISPs is not possible on ASA platforms. However, you can still failover to another ISP in the event your primary ISP fails using the SLA monitoring feature on the ASA.

Here's a link which explains ISP fallback on ASA :

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Also, please refer to the link given below to understand the other options that you have in case of dual ISP's on ASA:

https://supportforums.cisco.com/docs/DOC-13015#What_other_options_do_we_have

Hope it helps. Let me know in case of any questions or concerns.

Regards,

Amitashwa

Mohamed Sobair Tue, 06/21/2011 - 01:58

Hello Amitashwa,

I have the following two questions:

(1) I have an ASA firewall running code 7.2 (3), Active/Standby Setup. Now, with this FW I have multiple Zones but my concerns only on this question about Three Zones.

     From inside to Outside, I have an IPsec Tunnel with a client , my internal Network is (172.19.25.0/24 - 172.20.168.0/22), the Client Network is (172.17.5.0/24 & 172.17.6.0/24). Now The Tunnel is Active and both Networks are reachable in both direction.

     From the Inside to (ASD_VPN) , another Zone, I have normal PAT, Some of My Internal Networks are able to reach Network 10.254.0.0/16 using PAT, thats is also OK.

     my problem is that, My client on the outside Zone network (172.17.5.0/24) needs to reach Network 10.254.0.0/16 which is located on the ASD_VPN Zone, I am not able to successfully made this reachability up. I have permited and added (10.254.0.0/16) in the Interesting Traffic and Nat (0), and have allowed and added the required permit statement in the outside Access-list , yet without positive results.

what I exactyly need is to permit Network 172.17.5.0/24 to be Natted after its decrybted by the IPsec, and vice vers for the returned path, I need to encrypt 10.254.0.0/16 when going back to the clinet Network 172.17.5.0/24.

Is this kind of Scenario Possible?

Please refer to my Simple Connectivity diagram and Partial config I have attached.

(2) I need to have SSL VPN client installed on this ASA, what I understood, is that my current ASA version doesnt support SSL VPN client, what is the exact code to implement this feature? what are the licensing categories for this feature? and please provide me with reference documnet to set it up (other Than using ASDM).

Appreciate your Answer,

Regards,

Mohamed

amitaaga Wed, 06/22/2011 - 02:12

Hi Mohamed,

Please find the answers to your questions below:

1]

From the description that you have provided I  understand that you want users on remote subnet 172.17.5.0/24 to be able  to access subnet 10.254.0.0/16 across a L2L tunnel terminating on the  outside interface of your ASA. Also, you want the remote subnet users to  get PATTED to the ASD_VPN interface ip before they can access the  10.254.0.0/16 subnet.

You can achieve the objective stated above by doing the following configuration on the ASA:

access-list 101 permit ip 10.254.0.0 255.255.0.0 172.17.5.0 255.255.255.0

nat (ASD_VPN) 0 access-list 101

nat (outside) 2 172.17.5.0 255.255.255.0 outside

global (ASD_VPN) 2 interface

However, you need to make sure that the traffic  destined for 172.16.5.0/24 subnet from 10.254.0.0/16 is part of the  crypto ACL to the remote peer on the ASA and the reverse of it is  configured at the remote end.

Also, this traffic flow will only work when traffic  would be initiated from the remote subnet i.e 172.16.5.0/24 as it is  getting PATTED on the ASA.If you would like this traffic flow to work  bidirectionally then get rid of the "nat (outside)" statement from the  configuration which will in turn not PAT the traffic coming in from  172.17.5.0/24 to the ASD_VPN interface ip before going to 10.254.0.0  subnet.

2] This question is outside the scope of this  discussion however I will still answer your basic query on it. I would  appreciate if you could raise further questions on it in the VPN forum  on CSC.

ASA 7.2.3 does support SSL VPN client in full mode  however it does not support AnyConnect VPN. AnyConnect is supported from  8.x. Please refer to the link given below to check the SSL VPN client  configuration on ASA on 7.x:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/svc.html

By default, Cisco provides a two-user complimentary  SSL VPN license on all supported ASA devices. However, you will have to  purchase a license if you want more SSL users to be supported on the  ASA.

Hope this helps.

Regards,

Amitashwa

Mohamed Sobair Wed, 06/22/2011 - 04:31

Amitashwa,

1) I have actually tried what you have suggested before,  but with no positive result.

I am not allowing for bidirectional communication through PAT, the Traffic should always be intiated from my ASA, however,  using a packet tracer shows the packet flow but the packet is being dropped due to (IPsec Spoof detected).

Still my question remains, My IPsec Tunnel is Over the Internet , so the client 172.17.5.0 traffic is encrypted when it reaches my Internal Network, while I am Patting my Internal & Outside Network 172.17.5.0/24 to the client 10.254.0.0/16.

As I said, The packet tracer shows no deny for any rule, but the traffic still being dropped and the reason is (IPsec spoof detected). 

Do you have any suggestion for this result?

2) for the Second question, Thanks for your input.

Regards,

Mohamed

amitaaga Thu, 06/23/2011 - 05:53

Hi Mohamed,

I understand that you have the following setup with a L2L tunnel between the ASA and the remote peer:

         inside       outside

       ---------ASA -------------------Internet ---------------------------Remote Peer ----------------172.17.5.0/24

                  | ASD_VPN

                  |

               10.254.0.0/16

And here is what you want to achieve:

"what  I exactyly need is to permit Network 172.17.5.0/24 to be Natted after  its decrybted by the IPsec, and vice versa for the returned path, I need  to encrypt 10.254.0.0/16 when going back to the clinet Network  172.17.5.0/24."

I would appreciate if you could provide me the following information to help you further :

1] When you say that you want to permit Network 172.17.5.0/24 to be Natted after  its decrybted by the IPsec, what exactly do you mean? Do you mean to say that you want the decrypted traffic (from 172.17.5.0/24 subnet to 10.254.0.0/16) to get PATTED to the ASD_VPN interface before it actually gets to the 10.254.0.0/16 subnet?

2] When you say "....and vice versa for the returned path, I need  to encrypt 10.254.0.0/16 when going back to the clinet Network  172.17.5.0/24" I understand that you only want this traffic to go through the tunnel to the remote side. Correct me if I have misunderstood anything here.

3] Output of the packet tracer command from the ASA.

4] Output of "show cry isa sa" and "show crypto ipsec sa peer

Thanks,

Amitashwa

Mohamed Sobair Fri, 06/24/2011 - 12:15

Hi Amitashwa,

I am attacing here the output of what you have requested including the packet tracer output from both OUTSIDE and ASD_VPN interfaces.

with regard to your questions,

1) Your understanding is correct.

2) your understanding is correct.

Just one Note, The traffic flow should always be inititated from the client 172.17.5.0/24 to Network 10.254.0.0/16. Howev er, its still not getting positive results.

Regards,

Mohamed

amitaaga Fri, 06/24/2011 - 22:50

Hi Mohamed,

Packet tracer is not the  right way to test this traffic flow as the packet getting generated  using it would be clear text from outside to ASD_VPN and this might  result in IPSEC SPOOF detected message. Therefore I would like you to  actually do a ping from 172.17.5.0/24 to 10.254.0.0/16 to test the  connectivity. Also, if my understanding of the problem is correct then  the commands that I suggested earlier are the only one's that we need to  achieve the desired result.

Please let me know if you have the following command configured on the ASA:

nat (outside) 2 172.17.5.0 255.255.255.0 outside -- outside keyword at the end is important here

Regards,

Amitashwa

Mohamed Sobair Sat, 06/25/2011 - 00:55

Amitashwa,

As soon as I type the command you are proposing: nat (outside) 2 172.17.5.0 255.255.255.0 outside, I lose connection to the peer.

I mean the Ipsec tunnel is still Active, however, No traffic (Pings for example) for any of the interesting traffic to Network 172.17.5.0/24 works AT ALL. So the traffic gets dropped.

When I remove it, all traffic get back to normal.

Any Clue,

Regards,

Mohamed

amitaaga Sat, 06/25/2011 - 02:19

Mohamed,

Do you see any syslog related to translation failed after applying the proposed NAT command? Try using this NAT command instead and let me know how it goes:

access-list 101 permit ip 172.17.5.0 255.255.255.0 10.254.0.0 255.255.0.0

nat (outside) 2 access-li 101 outside

Regards,

Amit

Mohamed Sobair Sat, 06/25/2011 - 07:26

Amit,

With the ACL associated with NAT, it worked like a charm!!!  I just have one question for you:

1- While using nat (outside) 2 172.17.5.0 255.255.255.0 , I did it before without adding  the "outside" keyword in the end and thought it should bring up the connection while it didnt.  So the question, what is the (outside) keyword actually does here in the end of this nat statement.

For the ACL NAT, I relized because doing it with the Network command would nat all traffic sourced from Network 172.17.5.0/24 coming from outside regardless of its destination which in the end result in the IPsec spoof and the firewall dropps the packet.

Thanks for your time to answer my question,

BTW, I have given you full rate as deserved.

Regards,

Mohamed

amitaaga Sun, 06/26/2011 - 12:09

Mohamed,

It is good to know that everything has started working for you now.

"nat" command upto 8.2 is only used to translate the source and is always applied on the higher security level interface of the firewall however when we want to translate the source of the traffic going from low to high security level that is when we need to apply the nat command with the "outside" keyword to the low security level interface along with a corresponding "global" command on the high security level interface. Since, in your case the requirement was to translate the source of the decrypted traffic going from low to high security level we needed this keyword along with the nat command.

Also, when we were not using the ACL with the "nat outside" command it was looking to translate any traffic sourced from 172.17.5.0 to anywhere on the inside and since we did not have a matching "global (inside) 2 " command applied on the inside interface, this traffic was getting dropped on the firewall. 

Regards,

Amit

kashi_login Wed, 06/22/2011 - 05:03

Hi  Amit,

I need to clarify few points in FWSM failover in multi-context mode same as done in context based failover in Cisco ASA.

We have 2 FWSMs in 2 different chasiss at Site A and Site B. FWSM mod in site A is in Activve mode and another mod in site B is in Standby mode.

I want to setup 2 security contexts X and Y in active FWSM which would get replicated to standby FWSM.

Both contexts have separate inside and outside virtual interfaces and do not share any of their interface with each other.

We are use static routing as dynamic routing is not yet supported in multi-context mode. is that right?

Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?

Kashi

amitaaga Thu, 06/23/2011 - 06:56

Hi Kashi,

Please find the answers to your questions inline:

I want to setup 2 security contexts X and Y in active FWSM which would get replicated to standby FWSM.

In order to create security contexts on the active FWSM you will have to convert it to multiple mode. When  you change from single to multiple it takes the running configuration  from the single mode and adds it to the admin context. Also, these contexts will only get replicated over to the standby firewall if it will be in multiple mode as well.

You can refer to the link given below to configure the firewall in multiple context:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml

Both contexts have separate inside and outside virtual interfaces and do not share any of their interface with each other.

We are use static routing as dynamic routing is not yet supported in multi-context mode. is that right?

Yes, it is correct.

Here is the link that states the same:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/contxt_f.html#wp1116132

Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?

Yes, it is possible to share the external interface between 2 contexts in routed mode.

Here is an example for your reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029314

Let me know in case of further questions or concerns.

Regards,

Amitashwa

kashi_login Thu, 06/23/2011 - 18:56

Amit,

Thanks for the response.

Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How?

you said, yes...it's possible.

1. What happens if the shared interface switchport is down? Will whole fwsm failover occurs?

2. Say, each of the 2 context is meant for 2 customers A and B who need to have separate links. In this case, shared interface is recommended or separate internal and external interface for each context?

3. Both the links of each customer would be terminated on 2 separate switchports. Say, if any one link is down, is it possible to only failover that single context ot again the whole module failovers?

4. With dynamic routing not possible in multi context mode, is it possible to make FWSM failover automatic? or is it manual in any fwsm failover design type?

Kashi

amitaaga Sat, 06/25/2011 - 02:08

Hi Kashi,

Please find the answers to your questions inline:

1.Is it possible to setup the 2 contexts to have 2 separate inside interfaces but a single common external interface? How? you said, yes...it's possible. What happens if the shared interface switchport is down? Will whole fwsm failover occurs?

Yes, in this case both the contexts will become Active on the standby firewall. However, this is only possible  if the 2 context's sharing the outside interface are configured in  Active/Standby failover. In this case, if the shared interface goes down  then both the contexts will fail over to the Standby unit.

FWSM cannot have a shared vlan interface in  active/active failover, if there are only 2 contexts on it. FWSM can  have a shared vlan interface in active/active failover only if the  shared vlan remains in the same failover group.

Here is a link that explains how Active/Active failover works:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html#wp1041964

2. Say, each of the 2 context is meant for 2 customers A and B who need to have separate links. In this case, shared interface is recommended or separate internal and external interface for each context?

In this case I would suggest using unique internal and external interfaces in each context.

3.   Both the links of each customer would be terminated on 2 separate   switchports. Say, if any one link is down, is it possible to only   failover that single context ot again the whole module failovers?

If it is Active/Standby failover in multiple context  then in case of any issues with any link belonging to any of the  contexts both the contexts will fail over to the Standby firewall.  However, in case of Active/Active failover if a link belonging to an  Active context on one firewall goes down then the Standby context on the  other firewall will become Active.

4.  With dynamic routing not possible in multi context mode, is  it possible  to make FWSM failover automatic? or is it manual in any  fwsm failover  design type?

Dynamic routing has nothing to do with failover.  Failover happens automatically in case of FWSM depending upon  unit/interface health monitoring.

Here is a link that talks about the same:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html#wp1042444

Regards,

Amit

kashi_login Sun, 06/26/2011 - 06:04

Than you Amit for the response.

For the 4th question - regarding automatic FWSM failover, i think, i did not put the question correctly, i will diagram it for u.

SiteA                                       SiteB

CoreSW1----CoreSW2------L2-----CoreSW3

      |                                             |

      |                                             |

ActFWSM1                             StndFWSM2

      |                                            |

      |                                            |

InetRTR1                                 InetRTR2         

      |                                            |

      | active link1                           | passive link2

      |------------Internetcloud--------------|

We have 2 fwsm mods in 2 separate chassis in SiteA and SiteB as shown above. Both modules are configured in Active/Standby mode, and both routers RTR1 and RTR2 connected to active and standby fwsm mods respectively. Routers are setup with HSRP for redundancy with static routing for local LAN and BGP with ISP for multihoming.

Default route in active fwsm is pointing to router HSRP Virtual IP..so incase..the active router, RTR1, fails standby router,RTR2, takes over. In this situation when the active router is down, FWSM is not failing over automatically. We have to manually failover the FWSM to SiteB and then traffic comes over from

link2 --->CoreSw3--->Link2--->CoreSw2---->CoreSw1---> To local LAN

I'm looking to automate fwsm failover and i want your opinion on my solution, if its correct else suggest one:

Remove static routing on the routers, use dynamic routing and ensure default route is injected into active fwsm by dynamic routing on the routers..so that..when the router is down...injected default route is removed and fwsm realize their upstream device/link is down and would failover.

Thanks - Kashi

amitaaga Mon, 06/27/2011 - 13:27

Hi Kashi,

The solution that you have in mind will not work because firewall will not look at its routing table to determine the status of the upstream device/link in order to fail over. If the interface connecting to the upstream device is a monitored interface on the firewall then hellos will be sent out on this interface from both the firewall's and in case if either firewall does not receive hellos on this interface then they will run the following tests (in order) to check the status of the interface:

Link Up/Down test - Is the link up or down

Network Activity test - Am I receiving any traffic on this interface

ARP test - Generate ARP request for most recently learnt ARP entries on that interface.

Broadcast Ping test - Generate a broadcast ping on that interface

If all network tests fail for an interface, but  this interface on the  other unit continues to successfully pass traffic,  then this interface will be considered as failed and if the threshold for  failed interfaces  is met, then a failover will occur.

In your case I would like to know if the interface/vlan connecting the FWSM to the router is being monitored or not. Also, is there a way for the hellos to be exchanged between the firewall's on the outside interface (as per the diagram I do not see any connection between the routers like a trunk port or something)?

Regards,

Amit

kashi_login Tue, 06/28/2011 - 00:16

Thanks for the response Amit.

As i mentioned each FWSM mod has 2 contexts, X and Y.

Each context has it's own inside and outiside interface and context Y has a DMZ interface as well.

As part of failover configuration, i have configured following commands to monitor all the interfaces within a context

monitor-interface inside

monitor-interface outside

monitor-interface dmz

Both the routers are interconnected using a Layer 2 link that connects both the sites, A and B. This link is where the hello packets are being share between both the modules and therefore the interface, i believe. Correct if i'm wrong.

Routers are setup with HSRP on their interfacing connecting the FWSM external interface and the other interface connecting the ISP is being tracked.

How can i rate your comments, i do not see any option.

amitaaga Tue, 06/28/2011 - 11:10

Hi Kashi,

Your understanding about the hello packets exchange on the outside interface of the firewall's looks correct.

Also, you mentioned earlier that:

Default route in active fwsm is pointing to router HSRP Virtual  IP..so incase..the active router, RTR1, fails standby router,RTR2, takes  over. In this situation when the active router is down, FWSM is not  failing over automatically. We have to manually failover the FWSM to  SiteB and then traffic comes over from

link2 --->CoreSw3--->Link2--->CoreSw2---->CoreSw1---> To local LAN

So, help me understand the status of failover on the active fwsm when  RTR1 goes down. Does the outside interface changes state to Waiting or  Failed when RTR1 goes down? Also, what is the interface policy set to  for failover?

Regards,

Amit

kashi_login Tue, 06/28/2011 - 20:39

Amit,

interface policy is set to 50% i.e if any one interface goes down...FWSM failover should triggger.

when the RTR1 goes down, say, we reboot it..FWSM context outside interface does not go down ..dont know why...and we are therefore forced to manually failover the FWSM.

When the RTR1 goes down, as it is setup for HSRP...RTR2 takes over the active role. But as FWSM does not failover traffic does not pass ..and we are forced to failover the FWSM ..in which case both standby FWSM and RTR2 become active and then only traffic passes into the local LAN from outside.

Few questions:

a. As each contexts has Virtual Interfaces, would they ever go down?

b. Monitor-interface command is to monitor the virtual interface in the contexts or the switchport to which the virtual interace is mapped to? Bcoz, even if i shut the switchport the virtual interface is nor foing down.

amitaaga Thu, 06/30/2011 - 12:59

Kashi,

As soon as RTR1 goes down RTR2 takes over (it takes the virtual ip and mac from RTR1) as a result of which the FWSM does not see any change on its outside interface or does not drop any packets on that interface and thus does not fail over. In order to test failover in this case shut down the actual port on the switch that connects it to RTR1 and then check the status of "show failover" in the context. Also, you can apply captures in this context from active ip to standby ip and vice versa to check the hello packets on this interface.

Here is a doc that explains how to take captures off the FWSM:

https://supportforums.cisco.com/docs/DOC-1222

Here are the answers to your questions:

a. As each contexts has Virtual Interfaces, would they ever go down?

FWSM does not have any physical ports of its own. It only has logical interfaces in the form of vlans that are pushed to it from the switch. In case of failover on FWSM an interface would only show up as failed if it stops receibing hellos on that interface and then during interface testing if all network tests fail for it, but this interface on the other unit continues to successfully pass traffic. Unless a vlan that is getting pushed to the FWSM goes down on the switch it will not show up as down on the FWSM.

b.  Monitor-interface command is to monitor the virtual interface in the  contexts or the switchport to which the virtual interace is mapped to?  Bcoz, even if i shut the switchport the virtual interface is nor foing  down.

This command is used to monitor the interface assigned to the context in failover. Here is more information about this command:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/m.html#wp1765154

Regards,

Amit

kashi_login Fri, 07/01/2011 - 04:18

Amit,

Now that you know about our topology,

Can you please let me know the solution on how i can make the FWSM failover automatic.

Kashi

rparashar Thu, 06/23/2011 - 00:38

I have a website hosted on an internal web server (say 10.0.0.1) and would like to access it from inside using its external ip address (say 1.1.1.1) in the same way as I do it from the Internet. Also, I am doing port forwarding for traffic going to this web server so basically traffic comes on 443 for the outside ip (1.1.1.1) of the firewall and gets redirected to the internal ip (10.0.0.1) on 8443. So, basically the internal server is listening on 8443 for web traffic. Please let me know how can I get the website to work for a user who is on the inside of an ASA running 8.3.2 code on it.

amitaaga Thu, 06/23/2011 - 06:05

Hi Ratnesh,

Based on the description that you have provided I am assuming that when you do “nslookup” for the website from a machine on the inside network it gets resolved to its external ip address i.e 1.1.1.1.

Here are the commands that you need to configure on the ASA to achieve the desired objective:

1]

object network Server-Internal

host 10.0.0.1

nat (inside,inside) static 1.1.1.1 service tcp 8443 443

This command will redirect traffic destined for 1.1.1.1 on port 443 on the inside interface of the ASA to 10.0.0.1 on port 8443 back out the same interface.

2] same-security-traffic permit intra-interface

This command will allow the ASA to U-turn the traffic coming on its inside interface back out the same interface again.

3]

object network obj-10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (inside,inside) dynamic interface

This command will ensure that the source of the traffic gets PATTED to the inside ip address of the ASA so that the web server is forced to send the SYN-ACK back to the ASA otherwise the server would send it directly to the inside host and in that case the ASA would drop the ACK from the client as it would not have seen a SYN-ACK from the server going through it. This step is required to maintain the stateful behavior of the firewall.

Hope this helps. Let me know in case of further questions or concerns.

Regards,

Amitashwa

r.robins Thu, 06/23/2011 - 12:17

Hi All,

Apologies if this sounds like the wrong thing to say on a Cisco Support forum, many people have so far asked if the ASA can do this and that and mostly the answer seems to be no.

Do we all think cisco trying hard enough to raise the profile of these devices, I have heard through the channel that they are concerned about not being strong in the firewall/security arena yet they seem determined to do as much damage as possible themselves.

1. ISP load share - not available

2. Load Balanced Site to Site vpn

3. NAT from 8.3 onwards - complete mess

4. Passive FTP through firewalls from 8.3 on - doesn't work

Cisco really need to put the effort in now to raise their game. Checkpoint and Juniper must be laughing out loud

amitaaga Thu, 06/30/2011 - 13:52

Hi Robins,

Here is my take on the points raised by you:

1. ISP load share - not available

We dont support ISP load balancing on the ASA because we cannot configure more than 1 default route on the ASA as it by design not supposed to work like a router. However, as I mentioned earlier we do support ISP fallback on ASA and there are workarounds to support ISP load balancing as well with ASA as specified in the links given below:

https://supportforums.cisco.com/docs/DOC-15622#comment-7229

https://supportforums.cisco.com/docs/DOC-13015#What_other_options_do_we_have

2. Load Balanced Site to Site vpn

Again, by design L2L tunnels should terminate on the native outside ip address of the head-end ASA and not to the virtual ip or "vcpip" address of the ASA's in cluster. However, we do support this feature for remote access VPN as mentioned earlier.

3. NAT from 8.3 onwards - complete mess

NAT in 8.3 has been simplified and is pretty powerful. It gives us a lot more flexibility in configuring NAT as opposed to the previous versions of the ASA. However, this is a major migration step as the configuration style has been completely changed in it so we can see things breaking after the upgrade but then this is true of any major migration. Having said that I would like to mention that many of our customers have been able to successfully upgrade to 8.3 and are happy with it.

Here is a video that outlines the things that we need to know before upgrading to 8.3 on ASA:

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/05/26/video-asa-83-upgrade--what-you-need-to-know

Also, here are a few links to configure nat on 8.3:

Configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html

ASA Pre-8.3 to 8.3 NAT configuration examples:

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

4. Passive FTP through firewalls from 8.3 on - doesn't work

There is no known issue found in ASA 8.3 with passive FTP. There is a known issue with passive FTP however this only applies if the following conditions are met:

1) The ASA must be running version 8.4(1) or greater

2) The ASA must have multiple CPUs. ASA 5580 and 5585 platforms are affected by this problem. The ASA 5505, 5510, 5520, 5540 and 5550 platforms are NOT affected by this problem

3) The FTP connection must be subjected to port address translation (PAT) on the ASA. Connections subjected to static NAT, or connections that do not hit any NAT rule on the ASA will not encounter this problem.

Regards,

Amit

amitaaga Mon, 06/27/2011 - 14:25

Hi Jose,

I have gone through the previous post and would like you to provide me the following information to help you further:

1] Object defination of the following objects:

POLCIA-remote-net-1

POLCIA-remote-net-2

EXT_CORP-remote-nets-group

EXT_CORP-Local-networks-group

2] With the following configuration on the ASA:

nat (any,PublicBT) source static  EXTERNAL_COMPANY_NAME-Local-networks-group  EXTERNAL_COMPANY_NAME-Local-networks-group destination static  EXTERNAL_COMPANY_NAME-remote-nets-group  EXTERNAL_COMPANY_NAME-remote-nets-group

nat (any,PublicTESA) source dynamic any interface description Nat to internet On PublicTESA interface

If you sent a packet from Interface users using 172.16.30.41 to 172.21.250.206, it got sent to PubicTESA doing NAT with PUBLIC_IP1. However, after adding the following command everything started to work as expected:

nat (PublicBT,any) source static EXT_CORP-remote-nets-group  EXT_CORP-remote-nets-group destination static  EXT_CORP-Local-networks-group EXT_CORP-Local-networks-group inactive

So, it seems that this nat rule was already configured on the firewall and you disabled it? Is this understanding correct?

3] Output of packet tracer command from the CLI in case of working and non working scenario:

packet-tracer input Users tcp 172.16.30.41 2020 172.21.250.206 80 det

Regards,

Amit

bergiacarlos Mon, 06/27/2011 - 07:55

Hi Amitashwa,

I have the following rule on my ASA (5520 - 8.2(2))

static (inside,outside) tcp 190.1.1.1 192.168.1.1 netmask 255.255.255.255

and I want to change inside IP, so I execute the following commands:

no static (inside,outside) tcp 190.1.1.1 192.168.1.1 netmask 255.255.255.255

static (inside,outside) tcp 190.1.1.1 192.168.1.2 netmask 255.255.255.255

clear xlate

clear local-host

But after doing that, I still see that the firewall keeps trying sending traffic to 192.168.1.1

Am I forgetting any other clear command?

Thanks a lot!

Carlos

amitaaga Mon, 06/27/2011 - 12:50

Hi Carlos,

In order to remove static xlates from the firewall, we must remove the "static" command from the configuration. The "clear xlate" command does not remove the static translation rule. If we remove a static command from the configuration, then preexisting connections that use the static rule can still forward traffic. In order to deactivate these connections we need to use the "clear local-host" command.

So, you are not missing out on any clear command here. Run "clear local-host 192.168.1.1" command a few times after putting in the new static and then try to access it again, see if that helps. In case if the issue persists please send me the following outputs from the firewall:

sh run static | in 192.168.1

sh conn | in 192.168.1

sh xlate | in 192.168.1

packet-tracer input outside tcp 4.2.2.2 4020 190.1.1.1 80 det

Regards,

Amit

bergiacarlos Mon, 06/27/2011 - 14:54

Amit, the complete scenario is this:

I have 2 static nat rules:

static (inside,outside) 190.1.1.1 192.168.1.1 netmask 255.255.255.255

static (inside,outside) 190.1.1.2 192.168.1.2 netmask 255.255.255.255

what I want to do is change that nat to have this (192.168.1.2 <--> 190.1.1.1):

so I execute the following commands:

NO static (inside,outside) 190.1.1.1 192.168.1.1 netmask 255.255.255.255 (remove old line)

NO static (inside,outside) 190.1.1.2 192.168.1.2 netmask 255.255.255.255 (remove old line)

static (inside,outside) 190.1.1.1 192.168.1.2 netmask 255.255.255.255 (add new line)

clear xlate

clear local-host 192.168.1.1

clear local-host 192.168.1.2

The output for the show commands are:

show xlate

     Global 190.1.1.1 Local 192.168.1.2

show conn | inc 192.168.1.1

    

show local-host 192.168.1.1

    

show run static | inc 192.168.1.1

    

If I verify with packet trace (in ASDM) all seem to be configured correctly.

BUT, if I capture traffic with wireshark outside the network, internal IP 192.168.1.2 goes out with 190.1.1.2. And that is very weird, because I don´t have any static nat rule for that, but wireshark doesn´t lie hehe.

I don´t know if I was clear

Thanks, Carlos

PD:

Packet tracer output (filtered)

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) 190.1.1.1 192.168.1.2 netmask 255.255.255.255

nat-control

  match ip inside host 192.168.1.2 outside any

    static translation to 190.1.1.1

    translate_hits = 6, untranslate_hits = 210

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 190.1.1.1 192.168.1.2 netmask 255.255.255.255

nat-control

  match ip inside host 192.168.1.2 outside any

    static translation to 190.1.1.1

    translate_hits = 6, untranslate_hits = 210

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

amitaaga Tue, 06/28/2011 - 09:32

Hi Carlos,

Thanks for the detailed explanation.

Everything looks good on the firewall and as per the packet tracer output it seems to be translating host 192.168.1.2 to 190.1.1.1 correctly while it is going out via its outside interface.

However, to further confirm it apply a capture on the outside interface of the ASA as follows:

access-list capout permit ip host 190.1.1.1 host 4.2.2.2

capture capo access-list capout interface outside

Generate a ping from host 192.168.1.2 for 4.2.2.2

Check the capture on the outside interface of the ASA "show cap capo"

If the capture on the firewall shows that the source is getting translated to 190.1.1.1 (which I think it will) then you need to see where exactly are you capturing this traffic on the outside. May be there is another device outside the firewall (like a router) which is further translating the source to 190.1.1.2.

Regards,

Amit

MSAD_ADMIN Mon, 06/27/2011 - 18:39

Hi Amitashwa,

In failover configuration, can I configure a unique IP to be to the virtual IP other than the physical devices IPs, ex. if ASA1 mgmt0/0 IP: 10.10.10.1, ASA2 mgmt0/0 IP: 10.10.10.2, can the failover IP be : 10.10.10.3 ?

amitaaga Tue, 06/28/2011 - 09:53

Hi Mohamed,

When we configure failover on ASA we do not assign ip addresses seperately to the interfaces and then configure a virtual ip for the interfaces. It is not like HSRP configuration on routers. When we setup failover on ASA we just assign active and standby ip addresses on all the interfaces.

For Example: In case of Active/Standby failover when the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

Please refer to the link given below to check a configuration example on failover:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas

Hope this helps.

Regards,

Amit

panjala_p Mon, 06/27/2011 - 22:15

Hi Amit,

We have issue with our ASA Firewall 5510 in H0 and  5505 in BO we are facing the problem on both the end in phase 2 .. Head office end..

#pkts encaps: 1113, #pkts encrypt: 1113, #pkts digest: 1113
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Branch office end..

#pkts encaps: 0, #pkts encrypt: 1113, #pkts digest: 0
      #pkts decaps: 1113, #pkts decrypt: 0, #pkts verify: 1113

So far i have check the ACL Policy no issue found,I check the routes no issues found..need ur suggestion to dig further to close the issue..

Best Regards
PRASAD


amitaaga Tue, 06/28/2011 - 10:07

Hi Shiva,

Looks like the problem is at the branch office end. Please make sure that you have a NAT exempt rule configured at the branch office side to exempt the VPN traffic from getting NATTED on the branch office firewall. In case, if NAT EXEMPT rule is in place then apply a capture on the inside interface of this firewall to capture decrypted traffic and see if it is able to leave the firewall and is able to make its way back to it.

Eg:                                                             inside

A ----- ASA-HO -----Internet ------------ASA-BR -------B

ASA-BR:

access-list capin permit ip host A1 host B1

access-list capin permit ip host B1 host A1

capture capi access-li capin interface inside

show cap capi

Regards,

Amit

AliAhmad12 Tue, 06/28/2011 - 22:37

Hi Amitashwa ,

I have two ASA 5550 ASAs operating in Active/Standy mode. I want to remotely manage both of these ASAs (i.e telnet, ssh and ASDM) but at present I am only able to manage the active one. Please, specify what can be done to manage the secondary ASA. I need your response on urgent basis.

It will be highly appreciated if you answer this reservation with some configuration/scenario.

Thanks

Ali Ahmad

amitaaga Wed, 06/29/2011 - 07:14

Hi Ali,

If you have assigned active and standby ip addresses to all the interfaces of the firewall's in failover then you should be able to manage the standby firewall using the standby ip's.

For Eg:

                 ------------Switch2--------------

                |                                     |

                |                                     |

            ASA 1 --------------------------- ASA 2

                |10.1.1.1                         | 10.1.1.2

                |                                     |

                  -----------Switch1--------------

                                |

                              PC (10.1.1.10)

ASA 1 and ASA 2 are in Active/Standby failover. ASA 1 is the primary-active unit and ASA2 is the secondary-standby unit. So, the primary active unit has 10.1.1.1 assigned to its inside interface and the secondary stanby unit has 10.1.1.2 assigned to its inside interface.

Now, in order to manage both the firewalls using telnet/ssh/https from a PC on the internal network I will need the following commands on the active unit (since the firewalls are in failover these commands will get replicated over to the standby unit):

telnet 10.1.1.0 255.255.255.0 inside

ssh 10.1.1.0 255.255.255.0 inside

http server enable

http 10.1.1.0 255.255.255.0 inside

From the PC if I telnet to 10.1.1.1 then I should be able to telnet into the primary-active firewall. Similarly, from this PC if I telnet to 10.1.1.2 then I should be able to telnet into the secondary-standby unit.

Regards,

Amit

johnny.loh Wed, 06/29/2011 - 08:14

Hi Amitashwa,

I have newly installed an ASA5505 (ver8.2) in my branch office, but i having problem when using Cisco VPN client on my PC and trying accessing remote host located in my HQ.

Branch PC with Cisco VPN CIlent (192.168.1.x) -> ASA5505 -> Internet -> HQ VPN (Public IP) -> Host (10.10.1.x)

The VPN connection is established but i can't access any webserver or shared folder in HQ. This woudn't happen with earlier D-Link cheap router.

I believe i must be missing something and appreciate if you could assist me to provide some guideline on it. I'm new in Cisco.

Regards,

Johnny

amitaaga Thu, 06/30/2011 - 10:08

Hi Johnny,

It seems that the PC with the VPN client installed on it is getting PATTED on the ASA 5505 before it connects to the VPN headend device. Therefore, please enable the following command on the headend device to allow it to negotiate NAT-T (nat traversal) with the client which will in turn allow ESP packets to pass through the PATTING device:

crypto isakmp nat-t

Here is more information about this command:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1052476

If you dont have access to the headend device then another workaround to the issue could be to use a static 1-1 mapping for the PC on the ASA 5505.

Regards,

Amit

pemasirid Wed, 06/29/2011 - 12:41

Hi Amitashwa,

We have the scenario attached in this post, where we have the same subnet (172.21.0.0/16) behind our DMZ and our management interfaces on our Cisco ASA.

Supposing we can’t modify our subnets, and we want to use source routing on the ASA as below:

1) All traffic arriving from outside with source IP address 10.1.163.0/24 and destination 172.21.0.0/16 be routed to DMZ (10.46.254.19)

2) Any other traffic with destination IP address 172.21.0.0/16 be routed to management (172.21.3.65).

We know that this scenario is possible on a router if we you use route maps to route based on the source IP address.

However, we have noticed that route maps can’t be associated to route statements on ASA.

Can you please propose a solution to this problem on ASA (any workaround, any possible alternative configuration)

Thanks

amitaaga Thu, 06/30/2011 - 12:04

Hi,

Source based routing or Policy based routing is not  supported on ASA. Therefore, based on the source of the traffic ASA  cannot take any routing decision. Routing on ASA works as follows:

STEP 1: Check if there is any translation for the destination:

i) If yes, send the packet to the destination  interface as per the translation and then do a route lookup on that  interface for the real ip address of the destination.

ii) If no then go to STEP 2

STEP 2: Do a route lookup for the destination ip address.

(Usually,  for all outbound traffic (going from high to low security level) it follows STEP 2 to route  packets and for all inbound traffic (coming from low to high security level) it follows STEP 1 to  route packets)

Therefore, keeping the above in mind a workaround to the issue could be:

To translate the 172.21.0.0/16 network behind the DMZ  to some other unused subnet on the Outside and ask the users on  10.1.163.0/24 subnet to connect to that unused subnet (say  172.22.0.0/16) instead of 172.21.0.0/16 subnet to get to resources on  the DMZ.

static (DMZ,Outside) 172.22.0.0 172.21.0.0 mask 255.255.0.0

access-list outside_in permit ip 10.1.163.0 255.255.255.0 172.22.0.0 255.255.0.0

access-group outside_in in interface Outside

and at the same time allow users on Outside to continue to use 172.21.0.0/24 to get to resources on the Management interface:

static (Management,Outside) 172.21.0.0 172.21.0.0 mask 255.255.0.0

access-list outside_in deny ip 10.1.163.0 255.255.255.0 172.21.0.0 255.255.0.0

access-list outside_in permit ip any 172.21.0.0 255.255.0.0

(Note: The above configuration will only work if the  ASA has specific routes to get to the destination subnets in  172.21.0.0/16 subnet through the DMZ and the Management interface  respectively. This is required as we cannot configure 2 routes to the  same destination subnet through 2 different interfaces on the ASA, something like:

route DMZ 172.16.0.0 255.255.0.0 x.x.x.x

route Management 172.16.0.0 255.255.0.0 y.y.y.y)

Here is another example of overlapping subnets on ASA:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043610

Hope this helps.

Regards,

Amit

AliAhmad12 Thu, 06/30/2011 - 00:22

Hi  Amit ,

Ali Ahmad again ! First of all, thanks for your response. Your scenario is Ok in case PC is on the local subnet but I want to remotely manage it for which secondary FW must have dynamic routes for remote subnets. I think that issue lies there ?

Can you elaborate how the secondary FW can obtain remote subnets through OSPF and whether it is possible. In case of any possibility , Kindly highlight a config. scenario like you did before. Thanks

Best Regards,

Ali Ahmad

huangedmc Thu, 06/30/2011 - 04:28

ASA's at our remote sites typically have at least three interfaces - INSIDE, MPLS, and OUTSIDE.

We seem to always have problem w/ NAT between INSIDE & MPLS due to overlapping subnets.

The 10.0.0.0/8 supernet routes through MPLS, while a more specific subnet such as 10.1.1.0/24 routes through INSIDE.

In the routing world, routers can easily identify what to do - more specific wins.

However, the same rule doesn't seem to apply to NAT'ing on the ASA's - it has problem NAT'ing between interfaces that have overlapping subnets, even though one is more specific than the other.

Is that just the nature of NAT'ing on the ASA's?

Do you have any tips or suggestions around this issue?

amitaaga Thu, 06/30/2011 - 12:12

Hi,

ASA takes routing decisions as specified below:

STEP 1: Check if there is any translation for the destination:

i)  If yes, send the packet to the destination  interface as per the  translation and then do a route lookup on that  interface for the real  ip address of the destination.

ii) If no then go to STEP 2

STEP 2: Do a route lookup for the destination ip address.

(Usually,   for all outbound traffic (going from high to low security level) it  follows STEP 2 to route  packets and for all inbound traffic (coming  from low to high security level) it follows STEP 1 to  route packets)

Here is an example of overlapping subnets configuration on ASA:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043610

See if this helps. Let me know in case of further questions or concerns.

Regards,

Amit

Actions

Login or Register to take actions

This Discussion

Posted June 20, 2011 at 9:21 AM
Stats:
Replies:49 Avg. Rating:
Views:14893 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446