Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco ASA CX

Hi,

I have configured the CX to filter URLs, however I am having issues with the updates. It seems that the CX module can't access the internet.

How do I configure the CX/management interface of the ASA to reach the internet so that it can perform updates?

Cheers,

Ash

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Cisco ASA CX

Your routing statements:

route inside 10.0.125.2 255.255.255.255 10.0.125.4 1

route inside 10.0.125.4 255.255.255.255 10.0.125.4 1

...will not work. They need to define the gateway on the Inside subnet (10.0.35.x). Try changing that and see if you can reach the SVI and then the CX interface. If you can, the CX should be able to get out to the Internet and receive the return traffic.

28 REPLIES
Hall of Fame Super Silver

Cisco ASA CX

The CX uses the ASA management interface (on the 5512X through 5555X). You need a default route for the management interface on the ASA.

See the CX Quick Start Guide here for more details.

New Member

Cisco ASA CX

There is a default route for the management network, however it does not get out to the internet..?

Hall of Fame Super Silver

Cisco ASA CX

The route doesn't need to point to the Internet per se but traffic sourced from the ASA / CX management interface to that gateway must be able to reach the Internet and get replies back.

A quick test is, from the ASA: "ping management 8.8.8.8".

New Member

Cisco ASA CX

Yeah, I get that the gateway must reach the internet, but it's not currently.

Do you know if there are any particular steps required to allow the management access to get internet access. When I run the packet tracer I get the following output -

myvpn# packet-tracer input management icmp 10.0.125.2 8 0 4.2.2.2 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: mgmt-deny-all

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9f352740, priority=200, domain=mgmt-lockdown, deny=true

        hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=management, output_ifc=any

Result:

input-interface: management

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hall of Fame Super Silver

Re: Cisco ASA CX

On my working CX, I see I have a default route set on the cx itself:

seclabcx>show route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.255.0.0     U     0      0        0 cplane

0.0.0.0         192.168.100.254 0.0.0.0         UG    0      0        0 eth0

I believe this is done during the CX setup.

New Member

Re: Cisco ASA CX

I have the default route on the CX set to our core switch, as stated on the setup guide.

Does your default route point to the ASA management interface?

Hall of Fame Super Silver

Re: Cisco ASA CX

My default route for the CX is the core switch's L3 interface on the VLAN that the ASA / CX module management interface is assigned to:

seclabcx>show int

eth0      Link encap:Ethernet  HWaddr 50:3D:E5:9E:38:70 

          inet addr:192.168.100.6  Bcast:192.168.100.255  Mask:255.255.255.0

SECLABCORE#sh mac address-table | i 3870

100    503d.e59e.3870   dynamic ip,other              GigabitEthernet2/5   

SECLABCORE#

SECLABCORE#sh run int gi2/5

Building configuration...

Current configuration : 146 bytes

!

interface GigabitEthernet2/5

description ASA-CX module

switchport access vlan 100

logging event link-status

logging event trunk-status

end

SECLABCORE#show ip int br | i 100.254

Vlan100                192.168.100.254 YES NVRAM  up                    up     

SECLABCORE#

New Member

Re: Cisco ASA CX

Hmmmm. I have no idea why this isn't working then. Are you able to ping from the switch out the internet if you source the ping from VLAN 100?

Hall of Fame Super Silver

Re: Cisco ASA CX

Yes, I am able to do that:

SECLABCORE#ping 8.8.8.8 source vlan 100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.100.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

SECLABCORE#

Can you potentially look at your firewall logs or packet capture to see if the traffic is seen when originated from your CX?

New Member

Re: Cisco ASA CX

Just did a capture on the management interface and it shows as 0 whilst running continuous pings from the CX.

capture CX type raw-data trace interface management [Capturing - 0 bytes]

Hall of Fame Super Silver

Re: Cisco ASA CX

Actually I was thinking of looking for traffic from the CX while it transits the firewall inside interface.

If your setup is like mine the flow is:

ASA CX interface = physically the ASA's m0/0 but logically separate thus a capture from the ASA won't see it

to

core switch SVI = default gateway of CX

to

ASA Inside interface = default route for Interrnet-bound traffic

It's on that Inside interface that I would capture to troubleshoot and isolate the problem.

Re the NAT, on my lab firewall it's a simple dynamic NAT using the outside interface address:

object network Inside-Any-Hide

subnet 0.0.0.0 0.0.0.0

description Inside-PAT-Hide

object network Inside-Any-Hide

nat (transit-inside,outside) dynamic interface

New Member

Re: Cisco ASA CX

Yeah, my setup is the same as your's.

Output from capture -

20: 16:53:49.113077       802.1Q vlan#5 P0 10.0.125.2 > 4.2.2.2: icmp: echo request

  21: 16:53:50.113351       802.1Q vlan#5 P0 10.0.125.2 > 4.2.2.2: icmp: echo request

  22: 16:53:50.958278       802.1Q vlan#5 P0 10.0.125.2.51529 > 208.90.58.5.443: S 1355489554:1355489554(0) win 5840

Hall of Fame Super Silver

Re: Cisco ASA CX

So the capin shows your CX traffic (both the ping and what is probably an attempt to reach Cisco on port 443) going into the firewall - that's good.

Working it hop-by-hop I would next look to see:

Is it going out the other side? Is it NATted as expected? Is there any WCCP redirection or other proxy involved?

If it's going out the other side, are the replies coming in and allowed back through?

New Member

Cisco ASA CX

NAT is showing -

(inside) to (outside) source dynamic CX-MANAGEMENT interface

    translate_hits = 15, untranslate_hits = 17

Not using any proxies

Hall of Fame Super Silver

Cisco ASA CX

OK, so in that case the replies should show up as outbound traffic on the ASA inside interface to the CX Management IP adddress. Does a capture show them?

New Member

Cisco ASA CX

No, the replies aren't showing.

I can ping from the core switch sourced from any VLAN except the CX VLAN.

Hall of Fame Super Silver

Re: Cisco ASA CX

Does the ASA know to route the replies back via the core switch? If it also has its management address on the same subnet, that could be the issue since it thinks that network is connected.

Try adding a /32 route on the ASA inside interface for both the CX VLAN SVI and the CX Management address.

New Member

Re: Cisco ASA CX

I previously had a /32 route for the CX interface, however I did add the route for the CX VLAN SVI. Still not able to get out. I ran a packet tracer and got the following output -

packet-tracer input insid icmp 10.0.125.2 0 8 4.2.2.2 det

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9f3b3350, priority=13, domain=capture, deny=false

        hits=236269, user_data=0x7fff9dfbec70, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9f2fe570, priority=1, domain=permit, deny=false

        hits=27398061, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network CX-MANAGEMENT

nat (inside,outside) dynamic interface

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff984e5750, priority=6, domain=nat, deny=false

        hits=207, user_data=0x7fffa1ea9380, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.0.125.0, mask=255.255.255.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9e8fb6e0, priority=0, domain=nat-per-session, deny=true

        hits=418401, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff9f307540, priority=0, domain=inspect-ip-options, deny=true

        hits=1321622, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-cluster-unassigned-pool) NAT unassigned pool in cluster

Hall of Fame Super Silver

Re: Cisco ASA CX

Well from that last trace, it's reporting an issue with your NAT setup. Can you share the network object and associated NAT configuration?

New Member

Re: Cisco ASA CX

object network CX-MANAGEMENT

subnet 10.0.125.0 255.255.255.0

object network CX-MANAGEMENT

nat (inside,outside) dynamic interface

Hall of Fame Super Silver

Re: Cisco ASA CX

Your NAT rule looks very straightforward. Unless there's another NAT rule above it in the firewalls configuration, I'm not convinced the packet-tracer output is legitimately showing what the ASA is doing. After all, your earlier post showed both translate and untranslate hits.

From the ASA inside interface can you ping the CX VLAN SVI and CX IP address (and vice versa)?

New Member

Re: Cisco ASA CX

Hi,

I can't ping the CX SVI or CX IP address from the inside interface

VIP Green

Re: Cisco ASA CX

Could you post a full sanitized configuration of your ASA please.  I am wondering if there is another NAT statement that is messing things up.

--

Please remember to rate and select a correct answer
New Member

Cisco ASA CX

Hi,

Config attached to original post

Hall of Fame Super Silver

Re: Cisco ASA CX

Your routing statements:

route inside 10.0.125.2 255.255.255.255 10.0.125.4 1

route inside 10.0.125.4 255.255.255.255 10.0.125.4 1

...will not work. They need to define the gateway on the Inside subnet (10.0.35.x). Try changing that and see if you can reach the SVI and then the CX interface. If you can, the CX should be able to get out to the Internet and receive the return traffic.

New Member

Cisco ASA CX

Thank you very much for your help on this

Hall of Fame Super Silver

Cisco ASA CX

You're welcome. Sometimes it's the smallest things.

I was working a setup this weekend and banging on the keyboard most of the night and unable to solve one problem at the end of a string of tasks. I looked at it again after getting a good night's sleep and found the customer had misconfigured the subnet mask on one interface. Sometimes that "sort of" works - you can pass traffic and reach remote devices but EIGRP, even though it would form an adjacency, would not update routes. I changed the /16 mask to /24 and - voila - everything worked as expected.

New Member

Cisco ASA CX

Lol. Yeah, it's always the small things that come back and bite.

Once again, thanks for all the help you have given.

1261
Views
0
Helpful
28
Replies
CreatePlease to create content