Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS - Page 2

ciscomoderator · ‎09-24-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen. Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.

Remember to use the rating system to let Magnus know if you have received an adequate response.

Magnus might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 8, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

Magnus Mortensen · ‎09-28-2010

Andrea,

I'm not sure what that could be causing off the top of my head. One thing that may be worth looking into is the Java Console in ASDM. You can access the console from the Tools menu in ASDM. Based on the fact that it takes about a minute, I think that some other operation may be timing out or erroring out. Do you see anything stand out in the Java Console?

- Magnus

pushpendrayadav · ‎09-27-2010

Hi,

We are using Cisco PIX 515 E (Cisco PIX Firewall Version 6.3(5)). We configured few IPs for Polycom videoconferencing. but We are facing the issue wth call drop.

for few customers Phone rings and then disconnects without any talk. for few of the customers it works for 20 seconds and then disconnects.

Please help me to get the Solution for this.

allowed TCP and UDP Ports for this applications:

description TCP H323-H225
port-object eq h323
port-object eq 1719
port-object eq https
port-object range 3230 3237
port-object eq ldap

description UDP H323-H225
port-object eq 1720
port-object eq 1719
port-object eq 443
port-object range 3230 3237
port-object eq 5222

jorgeangelalvarezalvarez · ‎09-27-2010

Umm It sound like RTP stream can't reach Polycom (audio stream).

Do you are using Gatekeaper?

If Polycom start call, does it work??

I think that it work for 20 seconds can be that match any session exist.

Magnus Mortensen · ‎09-28-2010

Pushpendra,

I have seen issues with Polycom and the PIX that manifest as dropped packets as a result of some IP options. If you enable Debug Level Syslogs, do you see and logs related to the endpoints in question? Any logs indicating dropped packets and the like? In some cases, as a result of protocol incompatibility, we need to disable the fixups and simply permit the traffic with ACLs. That may be worth testing, but with the old 6.x code, you can only enable/disable the fixup globally, you have no granular control. With that in mind, a move to 7.2.5 may be of some value so you can get the better/advanced inspections, but also the ability to use MPF to selectively disable certain fixups (inspections) for certain flows.

- Magnus

MaDe · ‎09-28-2010

Hello Magnus,

I have some problems to understand the management function.

asa1---transnet1---isp_router---vpn---isp_router---transnet2---asa2---mangement interface

I try to connect from asa1 network to asa2 management interface but it is not working.

I get this log msg from the log viewer:

I can only access the asa2 from the transnet2 site .

I added this commands to the asa2

- management-access management

- http 172.20.0.250 255.255.255.255 NicTrans_outside

- ssh 172.20.0.250 255.255.255.255 NicTrans_outside

But with no success. Do you have any idea for me?

Many thanks

Timo

Magnus Mortensen · ‎09-28-2010

Timo,

The Managment access command is only for when you are coming over a VPN tunnel that terminates on that ASA. As it notes in the documentaion for that command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

"To allow management access to an interface other than the one from which you entered the adaptive security appliance when using VPN, use the management-access command in global configuration mode."

If you are not coming over a VPN tunnel that terminates on the ASA, then the only way to access that ASA from locations behind the NicTrans_outside interface, would be to connect to the NicTrans_outside IP address and not that of the management interface.

- Magnus

viacheslav.k · ‎09-29-2010

Hi Magnus,

My question is connected with IPv6 routing and ASA.

My simple network topology:

PC======ASA 5520=======Router 2801

I've assigned following IPv6 Subnets:

PC-ASA:

Network is 2001::3000:100:/104

ASA has 2001::3000:101:1/104

PC has 2001::3000:133:136/104 (default gateway is 2001::3000:101:1)

ASA-Router:

Network is FC00:1::/32

ASA has FC00:1::1/32

Router has FC00:1::101/32 (default gateway is FC00:1::1)

PC can ping it's IPv6 gateway

Router can ping it's IPv6 gateway

The problem is that PC can't ping (establish tcp connections, etc) Router and vice versa.

ASA can ping both of them.

When I use 'packet-trace' command on ASA it says that connections are allowed.

PC firewall is disabled. Router has not any IPv6 access-list.

ASA has two IPv6 access-list for both interfaces with following rules:

permit ip any any

permit icmp any any

I also used commands 'ipv6 icmp permit any INT1' and 'ipv6 icmp permit any INT2'.

What is the problem of my situation? why PC and Routers can't communicate?

I thought that I have to enable IPv6 routing on ASA, but I do not know how to do this.

When I do 'show ipv6 interface' I get:

INT1 [up/up]

.....

INT2 [up/up]

My head is going to blow up.

Help me, please

P.S. ASA firmware is 8.2. PC is Windows 7. Router is 12.4.

sding2006 · ‎09-29-2010

Hi Magnus,

We have deployed MPLS, and have several L3VPN, we are using a routed context from a single FWSM in Catalyst 6500 with static route to communicate between global routing table and vrf routing table. With more and more L3VPN added, we want to add redundancy/failover to our design.

I am thinking of using a pair of FWSM in separate catalyst 6500 chasis with firewall failover and HSRP for outside vlan and inside vlan,outside vlan connecting to global RT, inside vlan connecting to vrf RT.

basically global table will have static route of vrf address space pointing to active outside IP of the FWSM context,

FWSM context outside vlan will have staitc route of default pointing to HSRP active in the global RT.

FWSM context inside vlan will have static route of vrf address space pointing to HSRP active in the vrf RT,

then in the vfr RT, default static to FWSM context inside active.

Is this kind of setup supported? what's your recommendation to add redudancy/failover?

Thanks,

Shiling

Magnus Mortensen · ‎09-29-2010

Shiling,

If my interpretation of your network design is right, this should be just fine. This is the basic concept of inter chassis failover. With this design if the Primary FWSM in Chassis A fails, the Secondary FWSM in Chassis B will take over. When the FWSMs fail over the active HSRP interface do not failover. So when we are running through the Secondary FWSM, the traffic will flow through the Chassis A VRF, over the trunk on the INSIDE VLAN to the Secondary (now Active) FWSM in Chassis B, through the FWSM and then back over the trunk on the OUTSIDE VLAN to Chassis A to be routed by the Global Routing table. This design will provide redundancy for the FWSMs.

More information can be found here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1125008

- Magnus

great · ‎09-29-2010

Hello!

I have a question about h.323 version 5 and 6 support of ASA/FWSM.

We have a plan to set up a video conferencing system on our network.

There is some problems with a H323 Video Codec.

I am wondering about the ASA, FWSM version for the enhencement of H323:Version 6 support (CSCsk67454).
Could you let me know what the exact version of ASA, FWSM has the enhencement?

Thanks.

Magnus Mortensen · ‎09-29-2010

Hi,

I had to dig around a bit to double check but from what I can see this was integrated into ASA code version 8.2.1 so moving to 8.2.3 would make sense and also provide the most bug fixes in the 8.2.x code train. Unfortunately I do not see any plans to add h323 v6 support to the FWSM platform at this time. The FWSM, if v6 traffic passes through, will have the version downgraded to version 4 and extra fields removed.

- Magnus

MarcioMinicz · ‎09-30-2010

Hello,

I know that we can implement ASA failover A/A or A/S, and that we can implement redundant interfaces. I know that each equipament has a value to MTBF. What I like do know is how better is A/S implemented with redundant interface compared with A/S without redundant interface (may be in percentage).

Regards

Marcio Minicz

Magnus Mortensen · ‎10-03-2010

Marcio,

I do not think I have seen any MTBF numbers for interface failures, but we (TAC) rarely see cases come in where an interface has failed. Usually the failures are chassis level failures (wont boot/power up/etc). As a result I can only assume that the interfaces have a higher MTBF so with/without redundant interface wouldn't make a difference. THe redundant interface setup could help protect you from failurs of the attached switches, but it won't get you much on the ASA itself.

- Magnus

MarcioMinicz · ‎10-04-2010

Thank you for your answer.

Marcio Minicz

coomera10 · ‎09-30-2010

Hi Magnus,

my question is fairly simple (hopefully) for you to answer.....

How is it possible to export the rule set on Cisco ASA firewalls? and what formats can you export the rules in? Excel (.csv , .xls etc)

Thanks in advance