Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on troubleshooting Firewall Service Module. with expert Srinivas Mallu. Srinivas is a senior customer support engineer in High Touch Technical Support (HTTS) within the Technical Assistance Center (TAC). He has a double CCIE in Routing & Switching and Security (CCIE# 8914). Mallu has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, Security on IOS, IPSec, ACS and IDS. He also trains people on his team on security technologies.

Remember to use the rating system to let Srinivas know if you have received an adequate response.

Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 19, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

67 REPLIES
New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi Srinivas,

We'd like to know if it is possible to inspect application which is not predefined on FWSM.

We know the port used for initial conversation, dynamic ports are used after session is established.

Could you please give information/exemples on how doing this.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi There,

Yes. Its possible to inspect the protocols which are not defined as standard default configuration.

We can accomplish this by the class maps and policy maps, and applying them to the interface or to the global policy.

Here is an example of PPTP inspection;

FWSM(config)#class-map pptp-port

FWSM(config-cmap)#match port tcp eq 1723

FWSM(config-cmap)#exit

FWSM(config)#policy-map pptp_policy

FWSM(config-pmap)#class pptp-port

FWSM(config-pmap-c)#inspect pptp

FWSM(config-pmap-c)#exit

FWSM(config)#service-policy pptp_policy interface outside

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

hi Srinivas;

I have a couple of question:

1 Is Natting supported on bridge mode now

2- How can i pass all taffic of FWSM to IDSM module

3- SImlarly traffic from server will first reach IDSM, would i need to pass this to fWSM, provided that IDSM is in bridging mode.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi Omair,

we don't support NAT in bridge mode. It may be supported in future.

For questions 2 and 3, yes, its possible.

Please refer to the IDSM and FWSM integration document from CCO below;

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/9_M_NIDS.html

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi Mallu;

Thanks for your response, i am able to find a document that says that NAT is now supported on transparent mode

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/release/notes/fwsmrn32.html

Transparent Firewall NAT Support

You can now configure NAT for a transparent firewall. This feature extends the NAT/PAT functionality to transparent mode thereby reducing the need for adding a new NAT/PAT device in the network. This feature is also very useful in cases where multiple virtual routing and forwarding (VRFs) with overlapping addresses are used. NAT per VRF is not supported on the Catalyst 6500 series switches and the Cisco 7600 series routers.

Introducing NAT support for transparent firewalls addresses the NAT per VRF requirement. Transparent mode offers the capability to run routing protocols through the FWSM with minimal configuration.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Thanks for posting this. Very good to know. I knew the feature was being planned for future release, did not know it was already out.

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi,

I got pix-501 with 10 user license, now i want to upgrade it for 50 user.How shall i accompalish this task? please advice me.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi There,

Please contact Licensing Team at cisco, by emailing "licensing@cisco.com" with the contract number, serial number and the license features you want.

Alternative way is to open a service request with TAC.

Hope this helps!

Thanks,

Srinivas

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi Srinivas,

We also have another question.

We have FWSM installed on a 6500. it never becomes online.

Here the message error:

00:10:20: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Module Failed SCP dnld)

The "Online Diag Status" is Unknown.

We caanot use the firewall. Is there a way to solve this problem?

Hall of Fame Super Gold

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi Harinirina,

By default, a new FWSM will always disable the power during first insert.

You can enable the module by using the command "power enable module ".

Hope this helps.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Definitely a good suggestion.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Couple of things you can try, before swapping out the hardware.

1) Reseat the module

2) Try seating it in a different slot, maybe the slot its being seated is bad. Could be a Chassis issue

If the above steps fail, replace the hardware. If step 2 works, then you may have to consider replacing the 6500 chassis.

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi,

Thanks both for the reply.

We seat the FWSM on other slot, same result.

When seating an IDSM module on the slot where FWSM was seated, it boots.

We tried the command "power enable module", we got "status : Other" and "Online Diag Status:Unkown"

After some minutes, the message "%C6KPWR-SP-4-DISABLED: power to module in slot 3 set off (Module Failed SCP dnld)" appears again, the status is PwrDown and "Online Diag Status:Not Applicable".

On a firewall module, we'd like to know if there's also a notion of "Rommon mode"?

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

There isn't any ROMMON mode in FWSM. If it does not boot, maybe it had a bad boot flash, which needs to be physically replaced, by pulling the card out of the chassis.

If that does not help, you may have to replace the FWSM card itself.

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Thanks for the reply.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi,

We have configured ACL on a FWSM. what we noticed is that when letting an application out, we can't get response unless we let also in the returning traffic.

for example, when create ACL for FTP trafic from inside to outside and apply it on inside interface, we need also to create ACL from outside to inside on outside interface with FTP as port source

access-list 100 extended permit tcp host X.X.X.X host Y.Y.Y.Y eq 20

access-list 100 extended permit tcp host X.X.X.X host Y.Y.Y.Y eq 21

access-list 101 extended permit tcp host Y.Y.Y.Y eq 20 host X.X.X.X

access-list 101 extended permit tcp host Y.Y.Y.Y eq 21 host X.X.X.X

access-group 101 in interface inside

access-group 100 in interface outside

Is it a normal thing or what could be the reason for that?

what's the correct config?

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Normally, you don't have to apply another ACL on the outside to let the return traffic through, if the traffic has been permitted by an ACL on the inside.

Do you have FTP inspection turned on? This takes care of opening pin holes for return traffic.

Another thing I noticed in your configuration, is that ACL 101 is applied on the inside, if the FTP is being initiated on the inside, should not destination port be 20, 21 that should be permitted, instead of the source port.

Try that and see if it makes any difference. Do you see the NAT entries for this translation?

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi,

Sorry, it is a mistake. The real config is that ACL 100 is applied on the inside (i changed the name and i made a mistake).

In case FTP inspection is not turned on, could we open FTP session where applying ACL or not?

We use so many non standard ports, do we need to enable application inspection for each port?

We'll enable inspection for FTP and redo the test .

We'll let you know the result.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Yes. You can still permit FTP traffic without the FTP inspection. However, The ACL's to permit the non-standard ports would get complicated, plus you'll need the appropriate static statements to let traffic from outside to inside.

I would recommend using FTP inspection.

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi,

we redo the test.

The network we tried to configure is as follow,

- There's 2 contexts A and B

- we use static btween the 2 contexts, they can ping each other now

- an FTP server is installed in the context A

- an FTP client access this server from context B

on context B, here is the config

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 20

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 21

access-group ACL_test in int inside

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

on context A, we configured the same ACL but applied on outside interface

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 20

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 21

access-group ACL_test in int outside

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

The test of FTP access from context B was done from DOS command.

The client was asked to enter username and password. The problem is that we couldn't explore the directory, it is blocked.

When trying to apply "permit ip any any" on the outside interface of context B and on inside interface of context A, FTP

works fine.

What should be modified on the config?

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

I had a similar problem this weekend with a FWSM running the latest version of software.

When trying to access a web server on a DMZ with a static NAT (dmz,outside). I aded an ACL permitting incomming on the outside ACL for the NAT address but it would not work until I added access on the dmz ACL (also incomming on DMZ int.).

I have not checked yet to see if http is in the dafault inspection.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

You may need the ACL on the DMZ, if

* HTTP inspection is not turned on

* If the server responds with another port, and needs ACL to permit another port etc.

I would be interested to know if HTTP inspection was turned on?

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

The problem here could be the data port is getting blocked somewhere. I would check the ACL's.

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi,

when we redo the test, we've noticed that the problem was the ACL on context where FTP server is installed (context A) but not ACL on the context where FTP client is installed (context B).

On context B

------------

access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp-data

access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp

access-group ACL_test in interface inside

On context A

------------

access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp-data

access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp

access-group ACL_test in interface outside

access-list ACL_test-in extended permit tcp A.A.A.A eq ftp-data B.B.B.B

access-list ACL_test-in extended permit tcp A.A.A.A eq ftp B.B.B.B

access-group ACL_test-in in interface inside

we had to configure ACL from A to B where source ports are 20 and 21 when "service-policy global_policy global" was not configured, we've forgotten to put this line.

when configuring "service-policy global_policy global", FTP works well even without "access-group ACL_test-in in interface inside" on context A.

Now, we need to permit specific application which use its own port (non-standard) and above of this, we only know the initial port it uses for initiating session.

when session is initiated, the application uses dynamic ports.

what is your advice about configuring ACL for this application?

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

I see that you fixed the initial problem with the data ports. Thats awesome!

Yes, you can configure ACL for this application or for that matter any application, as long as you know the ports, and what to tweak on the ACL's

(source ports etc).

Hope this helps!

Srinivas.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Hi,

Yes, the initial problem was fixed, thanks indeed for your help.

So, for application which use dynamic port, configuring ACL with destination port used for initiating communication is enough or do we need somthing else?

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

I have been trying to troubleshoot a failover "issue" with two different FWSM's in two different Catalyst 6500 switches. FWSM's are running 3.1(6). When I show failover I get:

sh failover

Failover On

Last Failover at: 05:34:33 utc Feb 27 2009

This context: Active

Active time: 8848444 (sec)

Interface inside (10.135.34.4): Normal

Interface outside (10.135.128.33): Normal

Peer context: Standby Ready

Active time: 0 (sec)

Interface inside (10.135.34.5): Normal

Interface outside (10.135.128.34): Normal (Waiting)

Stateful Failover Logical Update Statistics

Status: Configured.

Stateful Obj xmit xerr rcv rerr

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 1125 0 0 0

Xlate_Timeout 0 0 0 0

What does Normal (Waiting) mean?

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

it means that failover on the active unit has not started to monitor the network interface outside. Failover does not start to monitor the network interfaces until it has heard the second "hello" packet from the standby unit on that interface.

make sure outside vlan is allowed on trunk port between your 6500's.

New Member

Re: ASK THE EXPERT - TROUBLESHOOTING FIREWALL SERVICE MODULE

Could very well be a possibility. Thanks for your response francisco!

Srinivas

725
Views
18
Helpful
67
Replies
CreatePlease to create content