Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen. Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.
Remember to use the rating system to let Magnus know if you have received an adequate response.
Magnus might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 8, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
ASA PHONE PROXY
I have a cuestion I need configure asa proxy phone but this asa apliance radicate in DMZ network
is posible configure this aplication in this design?
I wish I had good new for you, but unfortunately a NAT router/firewall in front of a Phone Proxy ASA is not supported. Phone Proxy requires publicly routable addresses for both signaling and media termination as a result implementation you are trying to setup will most likely not work. Many customers implement a standalone phone proxy ASA in parallel to the existing firewall in the network. The ASA would have interfaces on the outside Internet segment as well as on the inside subnet. Would you be able to place the Phone Proxy ASA in such a fashion? If you go down that path, then all you need to do to make sure routing isn't a problem is to use ASA version 8.2 or later and run per interface MTA along with some NAT tricks in order to make sure that traffic destined for the proxied phones goes through the proxy asa and not through the other firewall.
For Episode 14, we changed how/where we are doing the recordings, so it is taking us a little bit of time to re-tool/edit and release this latest podcast. We hope to have it up and running soon. Thanks for listening!
I am working on project that involves CAT6K with ACE and FWSM modules (one ACE and two FWSM modules per physical chassis). I want to run FWSM in routed mode but according to docs FWSM in VSS does not support RHI.
I was wondering if RHI will be supported in this setup anytime soon?
One "workaround" is to put ACE before FWSM so in that case FWSM lack of RHI support does not present a problem.
Is this valid scenario?
We see this question come up from time to time. There are some documents out there that incorrectly state that VSS and RHI do not work together. From FWSM version 4.0.4 onwards, RHI is supported in VSS.You can get more information about supported chassis code for VSS and RHI here:
If you are running FWSM 4.0.x and this is a new installation, you should run the latested 4.0.x image in order to get around bugs like:
CSCsz13933 - RHI:FWSM inject routes to MSFC even after state change from act to stdby (Fixed in 4.0.6 and beyond).
If you could, can you please provide a link to the documentation that noted it was not supported.
thank you for your answer.
I concluded that RHI is not supported on FWSM in VSS configuration reading the following white paper.
The link on the left side says:
Althought I am not native english speaker so maybe I missed the point.
How does ASA in routed mode handle received multicast packets when there's no mroute in its routing table?
We have hosts sending packets towards 188.8.131.52 on our network.
Since we don't have multicast set up, switches simply forward them as broadcast.
What does the ASA do w/ these packets?
Is it smart enough to know these are multicast packets, and drop them since there's no mroute, or does it forward on according to the default route,as if it's a normal L3 packet?
The firewall, being a security device, will drop those packets. I went ahead and verified this here in my lab, and without a mroute, the traffic is dropped.
I have a 6500 with VSS FWSM and ACE.
I suggest to not to use RHI.
I find 2 errors on plattaform:
- Wrong RHI in failover between FWSM (I use 4.1).
- Wrong RHI in VSS and ACE (inject wrong next-hop on VSS).
Then I suggest to go with static route. KISS.
Most of the bugs that manifest as RHI routes not being removed after failover should be fixed in the 4.1.x versions. It may be worth opening a case so we can ID a bug (worst case, file one) so we can improve the feature.
I have a question about DAP on Cisco ASA 5510.
Our firewall: ASA5510 8.2(1)11
When I try to connect from the LAN to the vpn client (ipsec) I receive a message of Authorization denied for user 'unknown' because of the DAP applied to the vpn connection.
This is the log I have:
6 Sep 24 2010 09:39:32 109025 Server 1648 10.26.0.2 9595 Authorization denied (acl=DAP-ip-user-0076860E) for user '
where 10.26.0.2 is the ip address of the vpnclient.
In the dap I added an acl that permits traffic from the Server to the vpnclient network, and from dap trace I see that this acl is applied to the connection.
Can you make me any suggestion?
I need some help about FWSM running software version 4.1(1) and Device Manager Version 6.2(1)F.
Using ASDM, at first time, when selecting NAT from Firewall menù, or Access Rules page appears after one minute!
I'm registering this issue afte the ASDM upgrade.
I'm not sure what that could be causing off the top of my head. One thing that may be worth looking into is the Java Console in ASDM. You can access the console from the Tools menu in ASDM. Based on the fact that it takes about a minute, I think that some other operation may be timing out or erroring out. Do you see anything stand out in the Java Console?
We are using Cisco PIX 515 E (Cisco PIX Firewall Version 6.3(5)). We configured few IPs for Polycom videoconferencing. but We are facing the issue wth call drop.
for few customers Phone rings and then disconnects without any talk. for few of the customers it works for 20 seconds and then disconnects.
Please help me to get the Solution for this.
allowed TCP and UDP Ports for this applications:
description TCP H323-H225
port-object eq h323
port-object eq 1719
port-object eq https
port-object range 3230 3237
port-object eq ldap
description UDP H323-H225
port-object eq 1720
port-object eq 1719
port-object eq 443
port-object range 3230 3237
port-object eq 5222
Umm It sound like RTP stream can't reach Polycom (audio stream).
Do you are using Gatekeaper?
If Polycom start call, does it work??
I think that it work for 20 seconds can be that match any session exist.
I have seen issues with Polycom and the PIX that manifest as dropped packets as a result of some IP options. If you enable Debug Level Syslogs, do you see and logs related to the endpoints in question? Any logs indicating dropped packets and the like? In some cases, as a result of protocol incompatibility, we need to disable the fixups and simply permit the traffic with ACLs. That may be worth testing, but with the old 6.x code, you can only enable/disable the fixup globally, you have no granular control. With that in mind, a move to 7.2.5 may be of some value so you can get the better/advanced inspections, but also the ability to use MPF to selectively disable certain fixups (inspections) for certain flows.
I have some problems to understand the management function.
I try to connect from asa1 network to asa2 management interface but it is not working.
I get this log msg from the log viewer:
I can only access the asa2 from the transnet2 site .
I added this commands to the asa2
- management-access management
- http 172.20.0.250 255.255.255.255 NicTrans_outside
- ssh 172.20.0.250 255.255.255.255 NicTrans_outside
But with no success. Do you have any idea for me?
The Managment access command is only for when you are coming over a VPN tunnel that terminates on that ASA. As it notes in the documentaion for that command:
"To allow management access to an interface other than the one from which you entered the adaptive security appliance when using VPN, use the management-access command in global configuration mode."
If you are not coming over a VPN tunnel that terminates on the ASA, then the only way to access that ASA from locations behind the NicTrans_outside interface, would be to connect to the NicTrans_outside IP address and not that of the management interface.
My question is connected with IPv6 routing and ASA.
My simple network topology:
PC======ASA 5520=======Router 2801
I've assigned following IPv6 Subnets:
Network is 2001::3000:100:/104
ASA has 2001::3000:101:1/104
PC has 2001::3000:133:136/104 (default gateway is 2001::3000:101:1)
Network is FC00:1::/32
ASA has FC00:1::1/32
Router has FC00:1::101/32 (default gateway is FC00:1::1)
PC can ping it's IPv6 gateway
Router can ping it's IPv6 gateway
The problem is that PC can't ping (establish tcp connections, etc) Router and vice versa.
ASA can ping both of them.
When I use 'packet-trace' command on ASA it says that connections are allowed.
PC firewall is disabled. Router has not any IPv6 access-list.
ASA has two IPv6 access-list for both interfaces with following rules:
permit ip any any
permit icmp any any
I also used commands 'ipv6 icmp permit any INT1' and 'ipv6 icmp permit any INT2'.
What is the problem of my situation? why PC and Routers can't communicate?
I thought that I have to enable IPv6 routing on ASA, but I do not know how to do this.
When I do 'show ipv6 interface' I get:
My head is going to blow up.
Help me, please
P.S. ASA firmware is 8.2. PC is Windows 7. Router is 12.4.
We have deployed MPLS, and have several L3VPN, we are using a routed context from a single FWSM in Catalyst 6500 with static route to communicate between global routing table and vrf routing table. With more and more L3VPN added, we want to add redundancy/failover to our design.
I am thinking of using a pair of FWSM in separate catalyst 6500 chasis with firewall failover and HSRP for outside vlan and inside vlan,outside vlan connecting to global RT, inside vlan connecting to vrf RT.
basically global table will have static route of vrf address space pointing to active outside IP of the FWSM context,
FWSM context outside vlan will have staitc route of default pointing to HSRP active in the global RT.
FWSM context inside vlan will have static route of vrf address space pointing to HSRP active in the vrf RT,
then in the vfr RT, default static to FWSM context inside active.
Is this kind of setup supported? what's your recommendation to add redudancy/failover?
If my interpretation of your network design is right, this should be just fine. This is the basic concept of inter chassis failover. With this design if the Primary FWSM in Chassis A fails, the Secondary FWSM in Chassis B will take over. When the FWSMs fail over the active HSRP interface do not failover. So when we are running through the Secondary FWSM, the traffic will flow through the Chassis A VRF, over the trunk on the INSIDE VLAN to the Secondary (now Active) FWSM in Chassis B, through the FWSM and then back over the trunk on the OUTSIDE VLAN to Chassis A to be routed by the Global Routing table. This design will provide redundancy for the FWSMs.
More information can be found here:
I have a question about h.323 version 5 and 6 support of ASA/FWSM.
We have a plan to set up a video conferencing system on our network.
There is some problems with a H323 Video Codec.
I am wondering about the ASA, FWSM version for the enhencement of H323:Version 6 support (CSCsk67454).
Could you let me know what the exact version of ASA, FWSM has the enhencement?
I had to dig around a bit to double check but from what I can see this was integrated into ASA code version 8.2.1 so moving to 8.2.3 would make sense and also provide the most bug fixes in the 8.2.x code train. Unfortunately I do not see any plans to add h323 v6 support to the FWSM platform at this time. The FWSM, if v6 traffic passes through, will have the version downgraded to version 4 and extra fields removed.
I know that we can implement ASA failover A/A or A/S, and that we can implement redundant interfaces. I know that each equipament has a value to MTBF. What I like do know is how better is A/S implemented with redundant interface compared with A/S without redundant interface (may be in percentage).
I do not think I have seen any MTBF numbers for interface failures, but we (TAC) rarely see cases come in where an interface has failed. Usually the failures are chassis level failures (wont boot/power up/etc). As a result I can only assume that the interfaces have a higher MTBF so with/without redundant interface wouldn't make a difference. THe redundant interface setup could help protect you from failurs of the attached switches, but it won't get you much on the ASA itself.
my question is fairly simple (hopefully) for you to answer.....
How is it possible to export the rule set on Cisco ASA firewalls? and what formats can you export the rules in? Excel (.csv , .xls etc)
Thanks in advance