Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX515 to PIX525 migrate problem

I have upgraded to PIX 525 7.2(2). When I did I used the same rules as on the 515. I know the fixup changed to inspect and have all working with the strange exception of VOIP and some special applications. one is with port 2000. I need to allow port 2000 to a specific PC, and have done so with an ACL entry.

object-group network Zap2it_host

description Zap2it allowed hosts

network-object 192.168.6.0 255.255.255.0

access-list OUT_to_IN extended permit tcp object-group Zap2it_host host 10.10.10.22 eq 2000

access-group OUT_to_IN in interface outside

All IPs are public and no NAT configured (only 2 interfaces inside and outside). However packets are dropped but do not reflect where they are dropped. A capture of both interfaces only shows traffic on the outside.

packets captured

1: 15:43:39.129754 192.168.6.5.3280 > 10.10.10.22.2000: S 3184932859:3184932859(0) win 25200 <mss 1460,nop,nop,sackOK>

Assistance will be greatly appreciated.

Regards,

Brad

2 REPLIES
New Member

Re: PIX515 to PIX525 migrate problem

Hi Brad,

maybe you can track the dropped traffic and check for the drop code, try using the "show asp-drop" command and monitor the increasing number when passing the port 2000 traffic to get the error code, that could give a hint on what is causing the traffic drop.

don't forget to clear the counter before beginning "clear asp-drop"

you can also capture the dropped traffic using the capture asp-drop command:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/c1_711.htm#wp2025431

hope that this helps.

Shadi'

New Member

Re: PIX515 to PIX525 migrate problem

Shadi,

Thanks for your reply, but we have the situation fixed now. The application I was using to upload files from outside the f/w to a machine on the inside used port 2000. We had port 2000 in the global inspection rules under skinny.

There was another issue with sip as well.

Removing the lines:

inspect skiny

inspect sip

from the global ploicy allowed the traffic to flow properly. Some how because the originating traffic was from the outside the inspection engine dropped it because of the handling of those ports.

185
Views
0
Helpful
2
Replies
CreatePlease to create content