Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Glenn Fullager about troubleshooting PIX and Adaptive Security Appliance Firewalls. Glenn Fullager is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. He is based in Melbourne, Australia. He is responsible for assisting customers in the AsiaPac region with high-level problems, specializing in the Security and VPN technologies.
Glenn has more than 10 years experience in the Information Technology field, specializing in Security/VPN for the past three years.
Remember to use the rating system to let Glenn know if you have received an adequate response.
Glenn might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 10, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
I have also posted this in the general forum on this site...
I am having trouble downloading files from an https site when connected to an asa5520 through an ssl vpn tunnel. I have an asa5520 running 7.1 code. I am able to view https pages but am not able to download files from these pages. The download seems to complete but looking at the file size on the web server and that of the downloaded file reveals that only a very small percentage of the file has been downloaded. This problem only seems to happen with https pages from an IIS 6.0 web server(I have also tested http against the IIS 6.0 web server and http/https against an IIS 5.1 and had no problems). I have also tried these same tests from an internal address (not through the ASA) and had no problem.
Any thoughts would be much appreciated.
You might be hitting bug CSCsb89160 (see http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb89160&Submit=Search for details). The bug mentions files over 2Mb but the cases linked to it talk about any file over around 100Kb in size won't work. The bug is also on the VPN3000 WEbVPn software but it is the same code base in the ASA so the bug may well have been ported over to that platform also.
You'll also notice the bug is marked Unreproducible. Can you confirm that the problem only occurs with files over about 160Kb in size? If so I'll re-open the bug on the ASA platform and we'll look into getting it fixed.
The behavior does seem consistent with what you describe. I am able to bring down smaller files but files 1MB and larger fail.
My question regarding a Cisco PIX 515 with OS Version 7.0 acting as a VPN server:
Can I make my Remote Access VPN users go to a DMZ of the same firewall they're using as NAS??, I tried this, my users can go with out a problem to the inside network but when they try to go to a DMZ the syslog display "No route to DMZ_HOST_IP from REMOTE_HOST_IP"...I can ping both IPs from the firewall, can anyone help?
Thank you for your question.
Yes your VPN users can certainly go to the DMZ interface. Yo'll currently have somethin glike the following to allow them to access your inside network:
access-list nonat permit ip
nat (inside) 0 access-list nonat
This tells the PIX not to NAT any of the VPn traffic coming from your inside network. You need similar for your DMZ interface as such:
access-list nonatdmz permit ip
nat (dmz) 0 access-list nonatdmz
Make sure also you have a static route for your VPN address pool pointing out the outside int (your default route may cover this so that's fine).
I have got couple of queries related to switches. Can you please tell me whether I am on the write forum or not? My query is how we can save ports when we are using multiple switches to create vlan?
No sorry, wrong forum, this is about firewalls. You might want to try posting your question on the Networking Infrastructure section.
Yeah you are right. I will post my question on the Network infrastructure section. Thanks for your time and patience.
But couild you please tell me when they says that cisco PIX 515e model supports 500000 multiple connections, what does that mean actually? I did not get that.
I have a requirement where i hv to authenticate all the users coming in from o/s to i/s. For this i create a group in ACS and add NAR and include the PIX in it. It works fine.
However i have another requirement, where i have to authenticate another set of users to go from inside to outside. In this case, how do i restrict, the first group from using the second group privilege.. Is this possible to configure the PIX to use the same ACS for both these purpose? If so, how does PIX differentiate the groups...? My guess, we will need a different ACS servers to achieve this.. Is my understanding correct..? Some of my colleagues suggest that there must be some way to acheive this by using the AV pairs. However none of them is sure of the exact procedures. Hope you can help.
hi glenn could u pls tell me to allow telnet to the pix outside with vpn. i mean do i need a site to site vpn or a remote acces vpn tunnel. what is the procedure. if site to site vpn then what should be in the crypto acl i mean really confused abt this . pls help.
h glenn one more thing in 7.0 code of pix i have seen the webvpn commands and compared to them in the asa . both the commands are same. but why doesn webvpn not work in pix 7.0.is it that webvpn commands are available in pix but not supported . if not then why and when would be implemented in the pix .because just for webvpn i cannot replace my pix with asa.kindly help
Yes, WebVPN is NOT supported in the PIX. The commands are there because the code is exactly the same in the ASA and the PIX, but when the code is loaded on a PIX webvpn is turned off. WebVPN is very CPU and memory intensive and the PIX models just weren't designed to utilise it, so the decision was made to not support the feature..
Site to site or remote access VPN will work. With a site-to-site you would need a line in your crypto ACL that defines traffic from the outside IP address of your PIX going to the remote network, and make sure you have the exact opposite of it on the other peer.
Easiest way is to just SSH rather than telnet then you don't have to worry about the whole "coming in over a VPN" thing. With SSH you can simply SSH straight to the outside IP address. Just define a domain name if you haven't already, then create a public/private key pair for the encryption with the "cry key generate rsa" command, then define what IP addresses can SSH in with the "ssh
hi glen thanks for ur reply abt this. could u pls tell me what will be the telnet configuration if i want to telnet to the pix using remote access vpn.so in the telnet ip addres mask and interface will be what. i mean what will be the ip address in this configuration. the ip address asigned to the client from the pool. if yes then what is the interface i should specify inside or outside. and do i need any access-list to permit it. thank u pls reply.
Hmm, been a while since I've done that. The IP address is definately the address from the address pool, since that will be the source address of the client. The interface, if I remember correctly will be "outside", or whatever the crypto map is applied to. I could be wrong on that, but it's simple to try both "outside" and "inside" and see which one works for you.
You might want to also try adding the "management-access inside" command then you can telnet to the inside IP address rather than the outside.
And no, you don't need to add any ACL's to allow the traffic.
hi glenn even with the management access-inside command i would still require ipsec connection to the pic outside right. to telnet to the inside interface of the pix right. i will try it out today and let u know. thanks anyways.
Hmmm, I don't actually see a way around this other than to use two ACS servers. The issue is not so much on the PIX, but getting the ACS server to differentiate between the two sets of authentication requests. The way ACS does this is by using the NAS's IP address, but there is no way on the PIX to get it to use a different source IP address for the two sets of requests (I can't even think of a way to do this on a router or anything else we make).
AV pairs are definately NOT going to help you here either. There is no AV pair that you could return to the PIX that would make the PIX work any differently in this situation.
Sorry but I don't think there's a good solution for you here other than to use two different ACS servers and set up the PIX similar to the following:
access-list AAA-INBOUND extended permit ip any any
access-list AAA-OUTBOUND extended permit tcp 10.1.1.0 255.255.255.0 any eq www
aaa-server INBOUND protocol radius
aaa-server INBOUND host 10.1.1.5
aaa-server OUTBOUND protocol radius
aaa-server OUTBOUND host 10.1.1.8
aaa authentication match AAA-INBOUND outside INBOUND
aaa authentication match AAA-OUTBOUND inside OUTBOUND
Do you mean "concurrent connections"? The PIX/ASA is a stateful firewall, meaning it keeps track of every connection that goes through it and will drop packets out of sequence or ones not belonging to an existing connection.
Keeping track of each connection obviously takes up a small amount of memory and CPU per connection, so there is a limit as to how many each device can keep track of.
I have an issue with pix 515e. I'm trying to ping the FE interface of the external router which is in the same subnet as the pix outside interface. Bridge-group is also assigned on the same FE; so as to have connection to DSL router.
The http traffic is all fine. Jus that cannot ping any public ips.Also access-list has been created on the pix as required. Please help me on solving the issue.
i have a pix connected with two interface .on the inside interface i have a host 22.214.171.124 and on the outside i have a host 126.96.36.199. i have configured outside dynamic nat which deosn't work here's my config
nat (outside) 1 188.8.131.52 255.255.255.255 outside
global (inside) 1 interface
pix inside interface 184.108.40.206
pix outside interfaec 220.127.116.11
access-list 101 permit ip any any
access-group 101 in interface outside
pls help what is the problem out here
I think you should configure it as :
nat(inside) 1 18.104.22.168 255.255.255.0 (or you can use access-list defining you inside list)
global(outside) 1 interface
also, you should have a default route pointing to outside.
What exactly are you trying to do here, and what exactly isn't working, I can't really tell you what's wrong unless I know what it is you're trying to do :-)
If you're just trying to get outbound traffic from 22.214.171.124 then just do:
nat (inside) 1 126.96.36.199 255.255.255.255
global (outside) 1 interface
If you're trying to get traffic flowing from the outside host to the inside then the easiest way is to just use a static:
static (inside,outside) 188.8.131.52 184.108.40.206
access-list 101 permit ip any host 220.127.116.11
access-group 101 in interface outside
then from the host 18.104.22.168 just try and connect to 22.214.171.124 and the PIX will respond to it and redirect the traffic to 126.96.36.199
On a fwsm, will the configuration below cause a problem?
access-list acl_test permit ip 100.100.160.0 0.0.0.255 100.100.203.0 0.0.0.255
access-list acl_test permit ip 100.100.160.0 0.0.0.255 100.100.204.0 0.0.0.255
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 access-list acl_test
global (site1) 1 100.100.253.20-100.100.253.253 netmask 255.255.255.0
global (site2) 1 100.100.253.20-100.100.253.253 netmask 255.255.255.0
Also, how do I insert an access-list in the order we require instead of at the bottom of the list ie inserting access-list acl1 permit ...in between line 100 and 101?
What access-list have you defined specifically? The PIX doesn't create "holes" to allow ICMP traffic back in like it does with TCP/UDP traffic. You need to specifically tell it to do this with the following:
fixup protocol icmp error
inspect icmp error
I am also facing an issue with respect to icmp in ASA 5540.It allows me to ping from inside to outside interface but am not able to do a traceroute.Any help would be helpful.
access-list inside permit icmp any any
access-list outside permit icmp any any
Can we have PIX and ASA intagrate to MS AD for IPsec VPN client?
so users enter their windows user/password for VPN client access
I saw that VPN client supports PIX/ASA for MS databases in native mode.
is that for PIX 7.0 and above?
what are the limitations advantages of doing that with AAA ACS
can you provide for documentation on how to do this?
Here are a couple good links to get you started. I have had good luck using MS AD with pix 515 6.3. and ACS server 3.2 . You can get pretty granular with the ACS server by specifying group membership etc.
Let me know if this helps.
yes basically would like to integrade PIX IPsec client with MS AD,
can you send me any links that I can enable that on the PIX and ACS?
the first one you quote doesn't talk about IPSEC, and the second is basically for PPTP
I will need the xauth feature of PIX to do that right?
as explained in this section?
is this all I need? on the PIX
is there good documents on how to integrade MS AD on the ACS?3.3.3 or 4.0, I am allso interested on the group binding requirements and flexibility
In 7.0 and above the PIX/ASA can natively authenticate users straight to your Windows MS/AD user directory. In PIX 6.x code you had to do it via RAdius/TACACS and an ACS server.
In 7.0 you'd just configure your VPN WITHOUT authentication first (see http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/vpnrmote.htm for details), make sure that's working fine, then configure the following:
aaa-server NTAuth protocol nt
aaa-server NTAuth (inside) host 10.1.1.4
I don't know of any specific advantages of doing it with ACS. I guess ACS allows you to set up policies for those users based on time, etc, plus allows you to set specific IP addresses if you really wanted to do that. It is another box that you have to configure and support so if you just want to do basic user authentication to an NT database I'd just stick with doing it natively from th ev7.0 PIX/ASA.