Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot Cisco Adaptive Security Appliances (ASA) with Cisco expert Srinivas Mallu. Srinivas is a senior customer support engineer in high touch technical support (HTTS) within the technical assistance center (TAC). He has a double CCIE in routing & switching and security (CCIE# 8914). Srinivas has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, security on IOS, IPSec, ACS and IDS. He also trains people on his team on security technologies.

Remember to use the rating system to let Srinivas know if you have received an adequate response.

Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 21, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

61 REPLIES

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

I've noticed on some ASAs that I've worked on that they don't use a global statement:

global (outside) 1 interface

They do have nat statements:

nat (inside) 0 access-list-name

Does this effectively disable natting, and would this be the recommended way of setting an internal firewall that doesn't have public IPs?

Thanks!

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

John

Yes it does disable NAT for anything that matches in the access-list. You don't need a global because the nat (interface) 0 is a special nat instance meaning leave as is.

Depends what you mean about an internal firewall. If you mean one used completely internally to the company ie. no internet access then yes you could use this and it would make sure that any clients on the inside interface of the firewall wouldn't be natted as they initiate connections through the firewall.

Jon

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Good answer Jon!!

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

John,

The Global(outside) command defines a NAT pool that internal hosts use when going out to the Internet. This command is not necessary when you are explicitly denying NAT, using the NAT(inside) 0 command. Its presence does not make a difference.

Its upto the users discretion whether he wants to use that command or not. As a general recommendation, we suggest you not configure this when you don't have NAT configured.

NAT (inside) 0 command effectively disables any NAT'ing from inside to outside, for the traffic that matches the ACL. This is the recommended way of configuring NO NAT.

Hope this helps! Let me know if you have any questions.

Thanks,

Srinivas.

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

My next question is:

We had a discussion the other day about the direction of static nat and how the private network statement works:

static (inside, dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

This says to have the inside present itself as 192.168.0.0 to the dmz network.

But why would I have:

static (inside,inside) 192.168.1.2 10.20.1.5 netmask 255.255.255.255

Where would this traffic be going exactly?

Thanks!

John

HTH, John *** Please rate all useful posts ***
New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

John,

Great question. By default, the ASA does not redirect traffic out the same interface, like a router. Normally, either the traffic goes through the firewall or gets dropped.

With the static command, which creates a conduit to same security interfaces, allows the ASA to redirect traffic out the same interface.

However, for this hairpinning feature to be enabled, you also need the global command;

same-security-traffic permit intra-interface

The first command, NAT's any traffic on the DMZ destined for 192.168.x.x to the inside interface.

With the second command, the firewall NAT's any traffic that it receives on the inside interface destined to 192.168.1.2, out the same interface to the 10.20.1.5 server.

Here is a good reference for this feature;

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

I have a 2801 router in my one of corporate office, which i have configured NBAR with MQC. I need to bloclk peer to peer application like bittorrent.

But router is not able to block bittorrent traffic, other peer to peer can block. version of bittorrent is 6.1.2 and IOS version is 12.411T4.

xxxx#sh policy-map int fa 0/0

Service-policy output: Block_P2P

Class-map: Block_P2P (match-any)

46481 packets, 5112152 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol fasttrack

1120 packets, 73977 bytes

5 minute rate 0 bps

Match: protocol gnutella

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol kazaa2

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol edonkey

22098 packets, 2576056 bytes

5 minute rate 0 bps

Match: protocol winmx

1856 packets, 193880 bytes

5 minute rate 0 bps

Match: protocol bittorrent

0 packets, 0 bytes

5 minute rate 0 bps

drop

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi There,

This forum is for ASA Questions. However, let me take a stab at this and answer your question to the best of my knowledge.

BT supports TCP and HTTP protocols. BT use TCP port from 6881 to 6889 to login, search and download files.

If the TCP ports from 6881 to 6889 are all blocked, then BT will use HTTP port 80 to download files.

If you block TCP port 80, you may be blocking some essential traffic. Because BT can communicate via HTTP and can switch port automatically, so you can not block them only by disabling the ports in the firewall. And BT has no central server, also can not block it by blocking server ip address. So the only way is using professional tools to block Bitorrent.

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi Srinivas.

I need to limit the access to a web server at specific hours, using an ASA with software version 7.1.

I believe I can use a service policy like this:

time-range limited-hours

periodic weekdays 13:00 to 15:00

access-list acl-web-server permit tcp host proxy1 host web-server eq http time-range limited-hours

access-list acl-web-server permit tcp host proxy2 host web-server eq http time-range limited-hours

class-map class-map-web-server

description traffic to and from web-server

match access-list acl-web-server

policy-map policy-web-server

description rate limit web-server (bits per second)

class-map web-server

police output 1000000 37500

service-policy policy-web-server interface outside

What do you think about this?

Many thanks for your help.

Regards.

Andrea.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Andrea,

The configuration you put up here is just all what you need.

Alternatively, you can also apply the ACL to any interface, using an access-group where you are going to see the traffic, that you want to apply this rule for, instead of defining it using a global policy.

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

hello there,

i would like to know if we could ping from the headend devices(which would be asa boxes) in site-to-site vpn to the private devices behind the peer. I mean from the ASA to the other end ASA's private network behind it.

Thanks in advance.

sarika

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi Sarika,

Great question! If this was a router, I would say probably yes, by using policy routing.

However, this is not possible with an ASA by design.

Hope this answers your question.

Thanks,

Srinivas.

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Srinivas,

It should be possible to ping devices on the other end of a tunnel that's terminated between two ASAs. They just need to disable NAT for the networks that are allowed to cross the tunnel. As for being able to ping the inside interface of the ASA from the opposite side, that can't be done.

--John

HTH, John *** Please rate all useful posts ***
New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Yes. This is possible. It requires some adjustment in the config. You have to have the Outside IP of the ASA included in the interesting ACL. Also, requires some tweaks in the routing.

Green

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Srinivas,

I believe this is possible. All you need to do is include the outside ip of the ASA in the interesting traffic crypto acl for the tunnel. I do this all day long for syslogging from ASA over vpn tunnel to a local syslog server.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Yes. You're correct! I just tested this.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

I have things mixed up here. I was thinking along the lines of inside interface ip address and of the remote ASA.

This can be done, and here is what it takes;

* Include the outside ip address of the ASA in the interesting ACL.

* NAT the private traffic to the outside IP address of the ASA

* Have routing setup in such a way that, when you initiate a ping, it knows which interface it needs to go out of.

Hope this helps!

Thanks,

Srinivas.

ovt Bronze
Bronze

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi Srinivas,

I'd like to pay your attention to the Bug related to the ASA->SSM communications.

Scenario: NAT is configured on the ASA between the inside and outside interfaces. IPS policy is applied to the outside interface or globally.

BUG details: for ICMP attacks (such as 2150), passing from the inside to the outside, the alert contains public (NATed) IP address as the Src IP, which is not correct. For TCP (such as 5081) the alert contains private IP address as the Src IP, which is correct.

Note: this may depend on signature engine, not the protocol (ICMP/TCP, etc.)

This probably happens because ASA doesn't pass pre-NAT packet IP header to the SSM along with the actual data packet. The data packet itself always contains post-NAT IP header (i.e. public IP address).

In brief (global policy):

TCP in->out ACL: priv Alert: Priv

ICMP in->out ACL: priv Alert: Pub

Also, the fact that the SSM log (log-pair-packets) contains pre-NAT (private) IP address for packets going outside->inside and post-NAT (public) IP address for packets going inside->outside is little bit misleading too.

This has been tested on 8.0.4. Does this bug have BugID assigned?

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi Srinivas,

Could please state the difference between ASA Firewall Edition and ASA VPN Edition.

Thanks

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi There,

The main difference between the two editions is in the feature bundles they come with. However, the functionality is the same.

The firewall edition supports only 2 concurrent SSL VPN Peers. The VPN edition supports anywhere from 25-10,000 concurrent SSL VPN Sessions, based on the hardware.

Here is the Firewall edition Overview;

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8048dba8.html

VPN Edition Overview;

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi,

I need to configure an DHCP server to send IP address to the hosts connected by VPN. The DHCP server is a different equipment from ASA. How can I manage this?

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi There,

You can do this using the

"vpn-addr-assign dhcp" command.

Here is some good reference for the same;

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnadd.html#wp999516

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Srinivas

I need clarification on configuring WCCPv2 on an ASA.

The ASA 8.1 configuration guide states.

"WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive

security appliance supports is when client and cache engine are behind the same interface of the adaptive

security appliance and the cache engine can directly communicate with the client without going through

the adaptive security appliance."

Do we need to have a switch hanging off an ASA interface (INSIDE) with the web cache device and host PCs terminating on that switch? If that is the case then I perceive traffic going into the INSIDE interface needs to be redirected to another interface as traffic leaving the INSIDE LAN cannot return on the same interface.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi There,

Your assessment is correct on this. However, just to clarify, Hairpinning is supported on the ASA. What that means is, you can redirect traffic out the same interface,

1) by enabling hairping. Here is a good reference

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114

2) and configuring static (inside, inside) which maps to the same interface.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Hi There,

Thanks for bringing this to our attention. I don't see a bug filed for this issue.

However, I would recommend that you open a TAC case, so that the BU is engaged and they work on fixing this issue. It helps us track the bugs.

Thanks,

Srinivas.

Anonymous
N/A

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

?

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Is there a way that I can log IP address assignments from a VPN local pool on the ASA to a syslog server? Currently I'm logging notifications to my syslog, but these type of messages don't get logged. If I do a sh vpn-sessiondb detail remote, I can see what address the user was assigned.

I do authenticate to a RADIUS server, so if I enabled accounting, would there be an AV pair that I would need to send back to the ASA?

Thanks!

John

HTH, John *** Please rate all useful posts ***
New Member

Re: ASK THE EXPERT - CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

John,

You should be able to log the IP address assignment to clients. To be able to log this, you have to set the logging to Information(level 6).

This is the syntax for this syslog message;

%ASA-6-737026: IPAA: Client assigned ip-address from local pool

When using RADIUS server, you should have the cisco av-pair, "framed-ip-address", that you'd need to send back to the ASA.

Hope this helps!

Thanks,

Srinivas.

342
Views
22
Helpful
61
Replies
CreatePlease to create content