Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Welcome  to the Cisco Networking  Professionals Ask the Expert conversation.  This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen.  Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.

Remember to use the rating system to let Magnus know if you have received an adequate response.

Magnus might not be able to answer each question due to the volume expected   during this event. Our moderators will post many of the  unanswered  questions in other discussion forums shortly after the  event. This  event  lasts through October 8, 2010. Visit this forum  often to view  responses  to your questions and the questions of other  community members.

Everyone's tags (1)
40 REPLIES
New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

ASA PHONE PROXY

hello,

I have a cuestion I need configure asa proxy phone but this asa apliance radicate in DMZ network

is posible configure this aplication in this design?

regards

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Angel,

     I wish I had good new for you, but unfortunately a NAT router/firewall in front of a Phone Proxy ASA is not supported.  Phone Proxy requires publicly routable addresses for both signaling and media termination as a result implementation you are trying to setup will most likely not work. Many customers implement a standalone phone proxy ASA in parallel to the existing firewall in the network. The ASA would have interfaces on the outside Internet segment as well as on the inside subnet. Would you be able to place the Phone Proxy ASA in such a fashion? If you go down that path, then all you need to do to make sure routing isn't a problem is to use ASA version 8.2 or later and run per interface MTA along with some NAT tricks in order to make sure that traffic destined for the proxied phones goes through the proxy asa and not through the other firewall.

- Magnus

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hi,

I was wondering when the next TAC Security Podcast was going to be released?

Thanks

Sean

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Sean,

     For Episode 14, we changed how/where we are doing the recordings, so it is taking us a little bit of time to re-tool/edit and release this latest podcast. We hope to have it up and running soon. Thanks for listening!


- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hello,

I am working on project that involves CAT6K with ACE and FWSM modules (one ACE and two FWSM modules per physical chassis). I want to run FWSM in routed mode but according to docs FWSM in VSS does not support RHI.

I was wondering if RHI will be supported in this setup anytime soon?

One "workaround" is to put ACE before FWSM so in that case FWSM lack of RHI support does not present a problem.

Is this valid scenario?

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Pavel,

     We see this question come up from time to time. There are some documents out there that incorrectly state that VSS and RHI do not work together. From FWSM version 4.0.4 onwards, RHI is supported in VSS.You can get more information about supported chassis code for VSS and RHI here:

FWSM 4.1.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html#wp161314

FWSM 4.0.x: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/release/notes/fwsmrn40.html#wp161314

If you are running FWSM 4.0.x and this is a new installation, you should run the latested 4.0.x image in order to get around bugs like:

CSCsz13933 - RHI:FWSM inject routes to MSFC even after state change from act to stdby (Fixed in 4.0.6 and beyond).

If you could, can you please provide a link to the documentation that noted it was not supported.

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hi Magnus,

thank you for your answer.

I concluded that RHI is not supported on FWSM in VSS configuration reading the following white paper.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/white_paper_c11_513360.html

The link on the left side says:

FWSM4.0(4): Virtual Switching System (VSS) Integration

Althought I am not native english speaker so maybe I missed the point.

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Pavel,

     Thanks for the link. I will follow up and get that corrected if need be.

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

How does ASA in routed mode handle received multicast packets when there's no mroute in its routing table?

We have hosts sending packets towards 224.2.0.8 on our network.

Since we don't have multicast set up, switches simply forward them as broadcast.

What does the ASA do w/ these packets?

Is it smart enough to know these are multicast packets, and drop them since there's no mroute, or does it forward on according to the default route,as if it's a normal L3 packet?

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Kevin,

     The firewall, being a security device, will drop those packets. I went ahead and verified this here in my lab, and without a mroute, the traffic is dropped.

- Magnus

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

I have a 6500 with VSS FWSM and ACE.

I suggest to not to use RHI.

I find 2 errors on plattaform:

- Wrong RHI in failover between FWSM (I use 4.1).

- Wrong RHI in VSS and ACE (inject wrong next-hop on VSS).

Then I suggest to go with static route. KISS.

Bye.

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Jorge,

     Most of the bugs that manifest as RHI routes not being removed after failover should be fixed in the 4.1.x versions. It may be worth opening a case so we can ID a bug (worst case, file one) so we can improve the feature.

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hi Magnus,

I have a question about DAP on Cisco ASA 5510.

Our firewall: ASA5510 8.2(1)11

When I try to connect from the LAN to the vpn client (ipsec) I receive a message of Authorization denied for user 'unknown' because of the DAP applied to the vpn connection.

This is the log I have:

6    Sep 24 2010    09:39:32    109025    Server    1648    10.26.0.2    9595    Authorization denied (acl=DAP-ip-user-0076860E) for user '' from Server/1648 to 10.26.0.2/9595 on interface inside using TCP

where 10.26.0.2 is the ip address of the vpnclient.

In the dap I added an acl that permits traffic from the Server to the vpnclient network, and from dap trace I see that this acl is applied to the connection.

Can you make me any suggestion?

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hello.

I need some help about FWSM running software version 4.1(1) and Device Manager Version 6.2(1)F.

Using ASDM, at first time, when selecting NAT from Firewall menù, or Access Rules page appears after one minute!

Why?

I'm registering this issue afte the ASDM upgrade.

Thannks.

Regards.

Andrea

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Andrea,

     I'm not sure what that could be causing off the top of my head. One thing that may be worth looking into is the Java Console in ASDM. You can access the console from the Tools menu in ASDM. Based on the fact that it takes about a minute, I think that some other operation may be timing out or erroring out. Do you see anything stand out in the Java Console?

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hi,

We are using Cisco PIX 515 E (Cisco PIX Firewall Version 6.3(5)). We configured few IPs for Polycom videoconferencing. but We are facing the issue wth call drop.

for few customers Phone rings and then disconnects without any talk. for few of the customers it works for 20 seconds and then disconnects.

Please help me to get the Solution for this.

allowed TCP and UDP Ports for this applications:

description TCP H323-H225
  port-object eq h323
  port-object eq 1719
  port-object eq https
  port-object range 3230 3237
  port-object eq ldap


  description UDP H323-H225
  port-object eq 1720
  port-object eq 1719
  port-object eq 443
  port-object range 3230 3237
  port-object eq 5222

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Umm It sound like RTP stream can't reach Polycom (audio stream).

Do you are using Gatekeaper?

If Polycom start call, does it work??

I think that it work for 20 seconds can be that match any session exist.

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Pushpendra,

     I have seen issues with Polycom and the PIX that manifest as dropped packets as a result of some IP options. If you enable Debug Level Syslogs, do you see and logs related to the endpoints in question? Any logs indicating dropped packets and the like? In some cases, as a result of protocol incompatibility, we need to disable the fixups and simply permit the traffic with ACLs. That may be worth testing, but with the old 6.x code, you can only enable/disable the fixup globally, you have no granular control. With that in mind, a move to 7.2.5 may be of some value so you can get the better/advanced inspections, but also the ability to use MPF to selectively disable certain fixups (inspections) for certain flows.

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hello Magnus,

I have some problems to understand the management function.

asa1---transnet1---isp_router---vpn---isp_router---transnet2---asa2---mangement interface

I try to connect from asa1 network to asa2 management interface but it is not working.

I get this log msg from the log viewer:

I can only access the asa2 from the transnet2 site .

I added this commands to the asa2

- management-access management

- http 172.20.0.250 255.255.255.255 NicTrans_outside

- ssh  172.20.0.250 255.255.255.255 NicTrans_outside

But with no success. Do you have any idea for me?

Many thanks

Timo

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Timo,

     The Managment access command is only for when you are coming over a VPN tunnel that terminates on that ASA. As it notes in the documentaion for that command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

"To allow management access to an interface other  than the one from which you entered the adaptive security appliance when  using VPN, use the management-access command in global configuration mode."

If you are not coming over a VPN tunnel that terminates on the ASA, then the only way to access that ASA from locations behind the NicTrans_outside interface, would be to connect to the NicTrans_outside IP address and not that of the management interface.

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hi Magnus,

My question is connected with IPv6 routing and ASA.

My simple network topology:

PC======ASA 5520=======Router 2801

I've assigned following IPv6 Subnets:

PC-ASA:

Network is 2001::3000:100:/104

ASA has 2001::3000:101:1/104

PC has 2001::3000:133:136/104 (default gateway is 2001::3000:101:1)

ASA-Router:

Network is FC00:1::/32

ASA has FC00:1::1/32

Router has FC00:1::101/32 (default gateway is FC00:1::1)

PC can ping it's IPv6 gateway

Router can ping it's IPv6 gateway

The problem is that PC can't ping (establish tcp connections, etc) Router and vice versa.

ASA can ping both of them.

When I use 'packet-trace' command on ASA it says that connections are allowed.

PC firewall is disabled. Router has not any IPv6 access-list.

ASA has two IPv6 access-list for both interfaces with following rules:

permit ip any any

permit icmp any any

I also used commands 'ipv6 icmp permit any INT1' and 'ipv6 icmp permit any INT2'.

What is the problem of my situation? why PC and Routers can't communicate?

I thought that I have to enable IPv6 routing on ASA, but I do not know how to do this.

When I do 'show ipv6 interface' I get:

INT1 [up/up]

.....

INT2 [up/up]

My head is going to blow up.

Help me, please

P.S. ASA firmware is 8.2. PC is Windows 7. Router is 12.4.

New Member

Network Virtualization - Firewall Redundancy Recommendation

Hi Magnus,

We have deployed MPLS, and have several L3VPN, we are using a routed context from a single FWSM in Catalyst 6500 with static route to communicate between global routing table and vrf routing table. With more and more L3VPN added, we want to add redundancy/failover to our design.

I am thinking of using a pair of FWSM in separate catalyst 6500 chasis with firewall failover and HSRP for outside vlan and inside vlan,outside vlan connecting to global RT, inside vlan connecting to vrf RT.

basically global table will have static route of vrf address space pointing to active outside IP of the FWSM context,

FWSM context  outside vlan will have staitc route of default pointing to HSRP active in the global RT.

FWSM context  inside vlan will have static route of vrf address space pointing to HSRP active in the vrf RT,

then in the vfr RT, default static to FWSM context inside active.

Is this kind of setup supported? what's your recommendation to add redudancy/failover?

Thanks,

Shiling

Cisco Employee

Re: Network Virtualization - Firewall Redundancy Recommendation

Shiling,

     If my interpretation of your network design is right, this should be just fine. This is the basic concept of inter chassis failover. With this design if the Primary FWSM in Chassis A fails, the Secondary FWSM in Chassis B will take over. When the FWSMs fail over the active HSRP interface do not failover. So when we are running through the Secondary FWSM, the traffic will flow through the Chassis A VRF, over the trunk on the INSIDE VLAN to the Secondary (now Active) FWSM in Chassis B, through the FWSM and then back over the trunk on the OUTSIDE VLAN to Chassis A to be routed by the Global Routing table. This design will provide redundancy for the FWSMs.

More information can be found here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1125008

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hello!

I have a question about h.323 version 5 and 6 support of ASA/FWSM.

We have a plan to set up a video conferencing system on our network.

There is some problems with a H323 Video Codec.

I am wondering  about the ASA, FWSM version for the enhencement of H323:Version 6 support  (CSCsk67454).
Could you let me know what the exact version of ASA, FWSM has  the enhencement?

Thanks.

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hi,

     I had to dig around a bit to double check  but from what I can see this was integrated into ASA code version 8.2.1 so moving to 8.2.3 would make sense and also provide the most bug fixes in the 8.2.x code train. Unfortunately I do not see any plans to add h323 v6 support to the FWSM platform at this time. The FWSM, if v6 traffic passes through, will have the version downgraded to version 4 and extra fields removed.

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hello,

I know that we can implement ASA failover A/A or A/S, and that we can implement redundant interfaces. I know that each equipament has a value to MTBF. What I like do know is how better is A/S implemented with redundant interface compared with A/S without redundant interface (may be in percentage).

Regards

Marcio Minicz

Cisco Employee

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Marcio,

     I do not think I have seen any MTBF numbers for interface failures, but we (TAC) rarely see cases come in where an interface has failed. Usually the failures are chassis level failures (wont boot/power up/etc). As a result I can only assume that the interfaces have a higher MTBF so with/without redundant interface wouldn't make a difference. THe redundant interface setup could help protect you from failurs of the attached switches, but it won't get you much on the ASA itself.

- Magnus

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Thank you for your answer.

Marcio Minicz

New Member

Re: ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Hi Magnus,

      my question is fairly simple (hopefully) for you to answer.....

How is it possible to export the rule set on Cisco ASA firewalls? and what formats can you export the rules in? Excel (.csv , .xls etc)

Thanks in advance

10174
Views
20
Helpful
40
Replies