Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Glenn Fullager about troubleshooting ASA/PIX Firewalls. Glenn is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. He is based in Melbourne, Australia. He is responsible for assisting customers in the AsiaPac region with high-level problems, specializing in the Security and VPN technologies. Glenn has more than 10 years experience in the Information Technology field, specializing in Security/VPN for the past three years.

Remember to use the rating system to let Glenn know if you have received an adequate response.

Glenn might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 23, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

196 REPLIES
Community Member

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi Glenn,

I have ASA 5510 (sw version 7.2.1) setup to do following:

- port forwarding for incoming connections on outside interface port 22 to system on inside network port 22. This is used for remote access via SSH to our internal server.

- Source IP address translation for same internal system when using a couple of VPN's.

IP address translation for outgoing connections trough VPN's was allways working fine. However at the moment that i setup the port forwarding for outside_interface:22 to inside_system:22 i received the following error:

WARNING: real-address conflict with existing static

TCP inside:10.0.0.2/22 to outside:a.b.c.1/22 netmask 255.255.255.255

I have following static lines in my config:

static (inside,outside) tcp a.b.c.1 ssh 10.0.0.2 ssh netmask 255.255.255.255

static (inside,management) 10.0.0.0 10.0.0.0 netmask 255.255.248.0

static (inside,voip) 10.0.0.0 10.0.0.0 netmask 255.255.248.0

static (inside,outside) a.b.d.1 access-list 1

static (inside,outside) a.b.d.2 access-list 2

....

static (inside,outside) 10.0.0.2 access-list 3

access-l 1 remark -- translate 10.0.0.2->a.b.d.1 for vpn1

access-l 1 permit ip host 10.0.0.2 10.1.0.0 255.255.255.0

access-l 2 remark -- translate 10.0.0.2->a.b.d.2 for vpn2

access-l 2 permit ip host 10.0.0.2 10.2.0.0 255.255.255.0

access-list 3 remark -- traffic we dont translate

access-list 3 permit ip host 10.0.0.2 10.3.0.0 255.255.255.0

Now one VPN is not working anymore. ASA does not translate source IP address 10.0.0.2 to IP address used for that VPN and VPN does not work. Strange is that there is only VPN not functioning since i addedd port forwarding statement. Other VPN's are doing fine.

Please tell me what i am doing wrong and what is the right way to do this.

Thanks in advance for your help.

With Kind Regards,

Alex

Silver

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi Glen,

I am implemeting a basic setup here. lan --> ASA --> ADSL router --> internet

I have a proxy server inside 192.168.1.6. My two dns servers are present outside.

My problem now is i am not able to ping anything outside. And is there anything else i need to take care since the proxy server is inside and the DNS servers are on the internet.

Hoogen

Community Member

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi Hoogen,

have you try to inspect also the icmp protocol ?

policy-map global_policy

class inspection_default

inspect icmp

Silver

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hmm.. i did miss that. But my DNS i.e I wasn't able to browse either. Any idea on what might be wrong.

Hoogen

Community Member

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi Hoogen,

1) can you paste the output of the packet-tracer test

for example:

ASA#packet-tracer input inside icmp 10.10.100.50 8 0 192.168.0.1

2) verify the service policy (I dont' remember if works with icmp protocol)

for example:

ASA# show service-policy flow icmp host 10.0.0.2 host 10.1.1.2

3) verify the asp

ASA#show asp drop

4) try to sniffer the icmp protocol on the interfaces (the following is an example with http protocol modify it with ICMP ...)

Step 1: create ACL for both inside and outside Interface

! Outside Capture ACL

ASA#Access-list 100 permit tcp host 192.168.2.2 host 198.133.219.25 eq 80

ASA#Access-list 100 permit tcp host 198.133.219.25 eq 80 host 192.168.2.2

! Inside Capture ACL

ASA#Access-list 101 permit tcp host 10.1.3.2 host 198.133.219.25 eq 80

ASA#Access-list 101 permit tcp host 198.133.219.25 eq 80 host 10.1.3.2

Step 2: create captures on both inside and outside interface

ASA#capture out access-list 100 interface outside packet-length 1500

ASA#capture in access-list 101 interface inside packet-length 1500

Step 3: have inside user access www.cisco.com

Step 4: verify the capture

ASA# show capture in

ASA# show capture out

Silver

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi,

Thank taccon and Glen. Now i have run into a different issue.

I have a problem here with my setup.

It is a simple one Internet <--> ADSL router <--> ASA <--> LAN

I have two lan interfaces both connected to my ASA.

The problem is i have a FTP server residing inside my LAN. The users on the internet are not able to FTP to my server. The error they get is FTP unknow n error.

I am posting my configuration.

Thanks for any help.

Just to add to the above, the adsl router is in a bridged mode. Should that create a proble? The FTP server though works fine if i connect it directly to the internet.

Also the command same-security-traffic permit inter-interface any ideas what else i should do.

Cisco Employee

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Config looks OK, and the ADSL router in bridged mode should be OK too. Best way to troubleshoot any problem like this is to enable syslogging and see what it tells you. You can do:

logging on

logging asdm debug

and look at the logs directly in ASDM, or do:

logging on

logging console debug

to see them on the console port. Then have a user try an FTP session and see what it tells you. If you still can't figure it out from there then post the syslog output back here and we'll see what we can tell from it.

Cisco Employee

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Sorry for the delay in responding.

As poster r.taccon said you could set up "inspect icmp", but you already are allowing ICMP in on your inbound access-list, which should cover that. If you have this AND "inspect icmp" in your config and it still doesn't work then you have another issue.

You mention the DNS servers a few times, are you pinging by name or by IP address? Try by IP address and see if that works, at least then we can pinpoint it down to a filtering or a DNS problem.

If you can ping by IP address but not by name then obviously you have a DNS issue. There's nothing specifically wrong with your config anywhere, it's pretty basic. I'd like to see "show service-policy" to see if the ASA is seeing DNS packets and dropping them for some reason. Other than that a packet capture on both the inside and outside interfaces is probably the best way we can figure out what's going on.

Community Member

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi Glenn,

I appologise for this reply if the reason that you are not answering my question is because you are too busy.

Anyway in case you need some aditional information from me (complete ASA config, network topology map ..) please tell me and i'll provide you with all the details that you need.

This blocking issues is keeping me from implementing Cisco ASA all the way in my organization.

Thanks one more time for your help.

With Kind Regards,

Alex

Cisco Employee

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Oh jeez, sorry, I read your post first the other day and then for some reason got sidetracked on other things and then completely overlooked it as something that I had answered. My apologies, and thanks for posting again to remind me.

What you're seeing is not unexpected when you have overlapping static configurations. You may not get total failure on one or the other static's, it will all depend on what types of translations are already present in the translation table and what your new static overwrites. For example, you're adding a port static that essentially overlaps with your other network statics. If one of those happens to have a translation on port 22 already then you'll break it. The warning message is there for a reason.

Is there any other way you can set this up but use a different address? Unfortunately the way you've done it is always going to lead to overlaps going on, and weird behaviour following on from that.

Gold

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi Glenn - good to see you back on the ask the expert stage!

Simple question - do you have a good/detailed document on setting up L2L VPN between PIX 6.3(5) and a MS ISA 2006 server please. I don't have a problem with the PIX setup but need to send a detailed document to customer who would like to terminate the VPN on a MS ISA 2006 box, funny, my customer is based in Melbourne, Aus.!!

Thanks for any pointers...

Jay

Community Member

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

hi glen really glad to have u back in the forum.

heard a lot abt the new ios 8.0 for asa which has very good enhancements for webvpn especially.

would like to know is routing and vpn with context functionality be available in the new version.

waiting for ur reply.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

Hi Sebastan, good to be back.

Just got back from a week in Sydney doing the ASA v8.0 TAC training, and unfortunately no, VPN and dynamic routing is NOT in the multi-context configuration.

Community Member

Re: ASK THE EXPERT - TROUBLESHOOTING ASA/PIX FIREWALLS

hi glen thanks for ur reply. then could u pls tell us what are the major enhancements in the verison 8.0 and is cisco planning to get vpn and routing functionality with context sometime later.

glen one more question the qos policy on the asa is for ingress or egress.

waiting for ur reply.

regards

sebastan

1564
Views
84
Helpful
196
Replies
CreatePlease to create content