Facebook Forum - ASA Firewall

Unanswered Question
Sep 19th, 2011

facebook_forum_jitendriya.JPG

Event Date/Time : Wednesday, September 28 ·  9:00am -  10:00am pacific time. For your local timezones, see http://bit.ly/oby74n

Location:  Facebook Fan Page ( http://www.facebook.com/CiscoSupportCommunity )

Join  us to discuss and ask questions on ASA Firewall. Our guest for the forum is Jitendriya  Athavale. Jitendriya has been working with TAC for the last 2 years. He works in  FW-IDS team and supports customers in APAC region. His area of expertise  is ASA-Firewalls .
We will cover a wide array of topics including:

ASA Troubleshooting, NAT, ACL, Failover, Upgrade, Management, Routing, Crashes, Performance, MPF and other feature related topics.

What is a Facebook Forum?

Facebook forums are online conversations, held at a pre-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.

On the day of the event, go to http://www.facebook.com/CiscoSupportCommunity. Once you go to our Facebook fan page, be sure and click "Like" to become  a member of our Facebook community! We'll post a welcome message at the beginning of the event. All subsequent conversations will be posted as comments to this main thread. You can post your questions as comments to this thread as well.

To RSVP for this event, please go to http://www.facebook.com/event.php?eid=221127497944388

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
morao Tue, 10/11/2011 - 11:53

Here's a condensed summary of the event.

How to configure port forwarding in order to access ip camera through internet in Asa 5510?

If you have a static ip then this link should help you in configuring static one to one on an ASA.

https://supportforums.cisco.com/docs/DOC-2053

Additionally, see this link if you have ASA 8.3 or 8.4 because NAT configuration is a little different in version 8.3 and above. https://supportforums.cisco.com/docs/DOC-12324

If you do not have a static ip or if you want to use the same ip as the interface ip, then you need to pat it to a specific port on the interface.

static (inside,outside) tcp interface 192.168.1.1

where 192.168.1.1 is your internal ip

You work with a lot of customers. What are some of the most common issues you see from our customers?

This one is difficult to answer  because I only cover 6 to 7 hours out of 24 hours, but in general we see issues related to NAT, Failover and Upgrade. Also what I have seen is many times customers are not really sure if firewall is the cause of the problem or if something else in the network is causing it. So as we go ahead I will give out some tips to troubleshoot so that you can find out and isolate the location of the problem

So what are the tools available to troubleshoot and isolate the issue?

For me the top 3 tools would be packet tracer, packet capture and logs. If you use these you should be able to solve most of the problems yourself.

What factors could cause a site to site vpn disconnect on its own? We have a site wherein the tunnel is up but it disconnects after a few days. Sometimes a ping on both sides is sufficient but at other times we need to recreate the whole configuration.

This requires deep investigation, but in general what you can do is generate traffic and try to ping the other end and that see if that brings up the tunnel. If that does not help you will have to enable debugs and see what is going on. Also you can enable captures and see if you are sending out traffic to the other end

Is DPD enabled by default? Is it advisable to have it enabled?

Keepalives are enabled by default. With respect to DPD, make sure that both ends support DPD's.

As a follow up to the above question, what debugs should we enable to troubleshoot vpn scenarios ?

Here are some debugs which will help in troubleshooting ipsec vpn related issues.

debug crypto isakmp 255

debug crypto ipsec 255

If you have more than one tunnel you can enable specific debugs by providing a condition and here is the command to enable conditional debugs

debug crypto condition peer x.x.x.x

where x.x.x.x is the peer ip

We have seen a lot of questions asking about how to use Packet Capture on our Facebook page. Do you have any document on this?

I wrote a document a while back and this explains how to use packet capture. This also has some scenarios where packet capture is useful. Take a look at https://supportforums.cisco.com/docs/DOC-17814

You also mentioned "logs" as another favorite tool. Can you expand a little bit on that? How and when to use it?

Logs are everything. If the firewall is dropping a packet, 9 out of 10 times it will show up in the logs.

You can either send logs to a syslog server or send it to the buffer on the ASA itself.

How can one send logs to a syslog server, can you provide some documentation or commands to do that?

The link below should help you configure the ASA for sending logs to the syslog server, but in general this is what you need -

1.Enable Logging

2.Specify the ip of the syslog server

3. Define the level of messages that you want to send to the syslog server

   http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_syslog.html#wp1382850"

Is there a way to send only a few specific messages to syslog or buffer?

Yes. This is really important for some administrators because they do not want to see everything and are interested in only viewing specific log messages. What you need to do is just define a logging-list and specify your criteria to filter out syslog id's and you can send only specific log messages.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#use

How does the change in NAT format in 8.3 and above affect network admins?

Nat syntax has changed a little bit from 8.3 .Here is a nice little doc and some videos that explains the differences in NAT syntax between 8.2 and 8.3

https://supportforums.cisco.com/docs/DOC-9129#comment-3934

https://supportforums.cisco.com/videos/2383

https://supportforums.cisco.com/videos/2428

https://supportforums.cisco.com/videos/1014

If I have a primary-standby and secondary-active which have been running for a long period of time, is it something to worry about? It’s usually the other way around, isn’t it?

No. It really does not matter. Primary and secondary are just labels. What matters is which is active and it is perfectly fine if secondary is active for a long time.

Is there a downtime required to upgrade a failover pair?

You will need downtime only if it is a major upgrade, for minor upgrades (which do not result in breaking of failover) you don’t need a downtime. But in general it is always a good idea to do upgrades or downgrades in a maintenance window (just to play safe).

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1057338

With regard to NAT changes in 8.3, if a user migrates from 8.2 to 8.3 or 8.4 does the ASA migrate the commands by itself or will the user need to configure the NAT rules again ?

The ASA is capable of converting the NAT rules but having said that this is a best effort conversion which means there is always a possibility that something might be broken after an upgrade to 8.3 or later from 8.2 and below. That is why we always suggest a maintenance window for this activity and the span of window could vary from network to network

Can you tell a little bit about Smart call home feature? What is it exactly? What does it do? How does it benefit our users?

Cisco Smart Call Home is an award-winning, embedded support feature available on a broad range of Cisco products. This proactive support capability is provided at no additional cost when you have an active SMARTnet Service, SP Base, Unified Computing Support Service, or Mission Critical Support Service contract for the designated products.

Smart Call Home offers:

Visibility into your network through diagnostic reports on Call Home enabled devices

Real-time trouble shooting, alerts, and remediation advice

Automatic generation of Cisco service requests to Cisco technical engineers

Secure, reliable data transport

Personalized web-based portal to review Call Home messages, detailed diagnostics, recommendations, and inventory

You can read more about this and also look at the configuration here -> http://www.cisco.com/en/US/products/ps7334/serv_home.html

Just select the product and you will get a configuration example, this is also available in config guide on each product"

What are the advantages of cisco ASA over the competition?

Here are some key findings from a third party research company that Cisco hired. You can find the entire report at http://connections.cisco.com/clearspace_community/docs/DOC-12311

The Cisco ASA 5520 performed more than six times better in throughput than the competitive solutions in real-world multi-function threat mitigation

• The Cisco ASA 5520 delivered over three times more 3DES-encrypted VPN throughput than competitors when tested using real-world traffic

• The Cisco ASA 5520 scored 100 percent overall threat-detection success; competitors averaged only 30 to 40 percent

• The Cisco ASA 5520 demonstrated the highest connection-establishment rate, surpassing the closest competitor by more than four times, in real-world, multi-function, threat-mitigation performance comparisons

You can catch the entire discussion on Facebook at

http://www.facebook.com/CiscoSupportCommunity/posts/10150389947391412

You can catch the summary on Facebook Notes at

http://www.facebook.com/note.php?note_id=264432483595362


Actions

Login or Register to take actions

This Discussion

Posted September 19, 2011 at 11:32 AM
Stats:
Replies:1 Avg. Rating:
Views:1964 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446