Introduction
During the live event you will learn how to troubleshoot common problems that firewall administrators encounter on a daily basis in regards to Adaptive Security Appliances (ASAs), Private Internet Exchange (PIX), and Firewall Services Modules (FWSMs) with Cisco expert Kureli Sankar. The event will include a live demonstration.
Kureli Sankar is an engineer who supports Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco ASA, FWSM, Cisco Security Manager, Content Security and Control (CSC) Security Services Module, and the zone-based firewall module in Cisco IOS® software. Before she joined Cisco, Sankar worked for the John Morrell Co. where she was the network administrator in charge of the company's enterprise network, which covered 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, where she taught undergraduate-level networking courses. Sankar holds a degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security (#35505) certifications.
Webcast related links:
General Questions
Q. We want to migrate from FWSM to ASA. What are the common issues found in this migration and what are the steps?
A. To migrate from FWSM to ASA, there is a migration tool available to convert and copy the configuration. For a major upgrade, Cisco recommends to open a Technical Assistance Center (TAC) case and ask a TAC engineer further questions.
Q. Will Cisco end support for release 8.2.x any time soon?
A. No end-of-support plans have been announced for release 8.2. The team still actively receives updates.
Q. Is it possible to look at both the object network and the Network Address Translation (NAT) statement associated with it with a single command?
A. Yes, it is possible with the show run nat command. However, there are some issues. For example, if you need to do a Port Address Translation (PAT) for a server for port 80,443,25, five different objects must be created for all the ports the server listens on.
Q. With dynamic PAT, we map many-to-one IP addresses like the inside network is mapped to one IP address on the outside interface. Is it possible to configure or map many-to-many IP addresses like we configure on the router?
A. Yes. It is possible with the help of dynamic NAT, but it has to map one-to-one.
Q. For a dynamic PAT and specific destination, do I need to refer to a specific subnet mask for the destination through the network object group? Could it be a range of IP addresses or must it be a subnet?
A. If it is just one host on the destination, you would not use an object group. If it is one destination, you would use an object and configure a host under the object. If it is a whole subnet, the content of the object would be a subnet instead of a host.
Q. What are the steps to troubleshoot the high CPU utilization on ASA or FWSM?
A. I covered this issue in my last webcast in 2010.
The recording from this webcast is located at this URL: https://supportforums.cisco.com/videos/1075
The FAQ for this webcast is located at this URL: https://supportforums.cisco.com/docs/DOC-14443
Q. We want to determine if the services are currently running on the server, which is directly connected to interface of the firewall. Is there a command such as "telnet 10.10.10.1 80", which we generally use on the switch or the router?
A. Telnet from the firewall is simply not allowed, since it is a security device. You can use an adjacent router, switch, or PC to telnet from the run line to ensure the server listens.
Q. Why would you want to use Twice NAT? Most external sites change IP addresses daily, especially Google.
A. For example, there is a remote network with an IPsec tunnel between 2 ASAs and both networks use the 10.10.10.0 range. You want to change what you look like when you reach the remote network. You also want the remote network to look like somebody else when it tries to reach you. This is the reason you use Twice NAT.
Q. What do we understand from the command "http redirect INSIDE https"? Does this convert all pages to https generated from inside the interface ?
A. The packet is redirected from port 80 to port 443.
Q. Can I download the slides later?
A. Yes, you can download the slides at any point from this URL: https://supportforums.cisco.com/docs/DOC-29170
Q. Does Cisco plan to end support for release 8.2.x any time soon?
A. No end-of-support plans have been announced for release 8.2. The team still actively receives updates.
Q. Will this webcast be recorded?
A. Yes, this webcast is recorded and will be posted in the Support Community in approximately 5 days. Users will find it at this URL:
https://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts
Q. Is there a command to determine whether the Access Control List (ACL) consumes more CPU than any other process?
A. Yes, you can enter the show processes command.
Q. Static (inside,inside) 14.36.90.210 10.55.16.2 and static (inside, inside) 10.55.16.2 14.36.90.210, but I am confused on the last resolution. Did you take out all lines of configuration and just replace the first with the solution that adds DNS?
A. 'Static (inside,inside) 14.36.90.210 10.55.16.2' means that packets destined to 14.36.90.210 will have their destination IP address changed to 10.55.16.2. However, 'static (inside,inside) 10.55.16.2 14.36.90.210' matches packets destined to 10.55.16.2. When the 'dns' keyword is added to doctor the DNS, the (inside,inside) static statements are not needed to pass traffic.
Q. Do you have any suggestions on how to troubleshoot IPsec tunnels with non-Cisco devices?
A. The common issues seen with non-Cisco devices are RFC compliance, rekey operations, timers, isakmp identity usage, proxy ID negotiation, and so on. The best way to start is to make sure your proxy IDs match, that the phase 1 and phase 2 proposals match, and so on. After that, debugs are looked at to see where and why the tunnel fails. The debug crypto isakmp and debug crypto ipsec commands are very useful. You can increase the debug level to 10, 120 and so on based on what you troubleshoot. The debugs can also be filtered for specific peers.
Q. What is the difference between default deployment and aggressive deployment of IPS?
A. There are two deployment modes for Intrusion Prevention System (IPS), inline mode and promiscuous mode. With inline mode, you will inspect all the data received by your network devices (Firewall or switch using SPAN configuration). With promiscuous mode, you will receive just a copy of this data.
You can obtain more details about the GC modes at this URL: https://supportforums.cisco.com/docs/DOC-26810
- Standard—Has a moderately aggressive effect on deny actions. This is the default.
- Aggressive—Has a very aggressive effect on deny actions.
Q. How does the per-client-max and per-client-embryonic-max commands work in release 8.3+ code? For example, if I have a like below class class-conn-param-tcp-02 set connection per-client-max 1000 per-client-embryonic-max 1000?
A: Connection limits are still configured using the set connection command in release 8.3 and later. Yes, that's correct. If the concurrent count drops to 999, the client will then be allowed to generate 1 additional connection at that point.
Q. Does Cisco AnyConnect support nearest gateway selection method? That is, if there are 10 VPN gateways, can a Cisco AnyConnect client determine the nearest gateway based on ping response time and further establish a connection to it?
A. Yes, we support this using Optimal Gateway Selection (OGS). Please refer to the document at this URL: https://supportforums.cisco.com/docs/DOC-15326. An OGS cache is maintained on the client to choose the optimal gateway.
Q. Is Windows 8 also in the supported platforms list? I don't see it in the documentation. Is there a roadmap for including Windows 8 as well?
A: Support for Windows 8 is currently limited. Please refer to the document at this URL:
Q.Is it correct that there is not a concept like default/aggressive in Cisco IPS, only inline & promiscuous?
A: We have both concepts, standard/aggressive/permissive is for Global correlation inspection modes and the inline/promiscuous is for IPS implementation modes.
Q. Is there a tool we can use to measure the bandwidth (BW) of a line? We made a line upgrade from 2 MB to 10 MB, but when we do a speed test it is not reflected. The page we used to measure it is speedtest.net.
A: To have real information about the measurement of your BW line, use wireshark and run a packet capture. Then, start a download of a large file from the outside. Once you have started that, go to Statistics > IO Graphs and change the unit to Bytes/Tick. Then you will see the maximum bandwidth you hit. You can complete the same scenario for upload BW.
ASA
Q. Does the packet tracer in Cisco ASA Adaptive Security Device Manager (ASDM) show if this could be an Address Resolution (ARP) issue?
A: It does not indicate that it is an ARP issue. The packet tracer does not tell you whether you have a MAC address entry for the next hop.
Q. Do you have any recommendations or best practices to log on to ASA firewalls?
A: We do not have any best practices. It all depends on the traffic that your firewall will process and what you think is relevant information you need to capture and save or archive from the firewall. As a TAC engineer we want to see all the information when we troubleshoot, so we enable debug level logs and buffer logs.
Q. Why can't Cisco ASA do equal load balancing with eigrp in different interfaces and will it be possible in the future?
A: No plans for this support have been announced. Please contact your Cisco account representative to discuss the future roadmap and request support for new features.
Q. Does version 9.x require a hardware upgrade on ASA 5510, for example RAM?
A: Yes, a hardware upgrade is required. Expert will provide the link which will give more information.
Q. Does the ASA stop the creation of translations (xlates) if it receives more that 1000 connections from a single source IP address? This is if the connection limits are set as described in my previous question.
A: Connection limits do not directly limit xlate creation. However, since a single source IP address is limited to 1000 connections, that source will not be able to allocate more than 1000 xlates.
Q. Will the ASA support Border Gateway Protocol (BGP) lke Dynamic Router in the future?
A: No plans for this support have been announced. Please contact your Cisco account representative to discuss the future roadmap and request support for new features.
Q. Why was release 8.3 not a major upgrade since it has so many NAT changes?
A: This was a decision made by the ASA business unit when the release schedule was set.
Q. What are the known problems you upgrade from version 8.4.1 to 9.0(1) ?
A: The upgrade generally goes smoothly. Known issues are listed in the "Open Caveats" section of the 9.0 Release Notes located at this URL:
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html
Q. What other new features are present with Cisco ASA release 9.x?
A: New features are listed in the 9.0 Release Notes located at this URL: http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html
Q. Is a similar tool being discussed to upgrade from versions of ASA to a higher version?
A. There is no single tool for this. It is best to test the upgrade in a lab or open a TAC case for assistance to understand any configuration or syntax changes during the upgrade.
Q. I was missing IPv6! Does Cisco support the collaboration security with IPv6?
A: Yes, the ASA supports IPv6. Please refer to the configuration guide for examples:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/asa_90_cli_config.html
Q. I have an ASA that does firewall and Remote Access VPN. It has an SSL certificate installed and it works well. I added another ASA to create an active/standby failover pair. Now we get certificate errors when the new ASA is the active one. How do I fix that?
When you add a standby firewall to the failover cluster, it is necessary to enter a write standby command, such that the RSA keys and certificates are carried over to the standby firewall. After that is complete, enter the show crypto ca trustpoint command to verify that the trustpoint is authenticated. If not, ensure you have the complete certificate chain. Look at the certificate to see what the Subject name and other fields are set to. What kind of errors do you see when the new firewall is active. Does the certificate use an FQDN or IP address in the CN or SAN?
Q. When we enter the 'show run nat' command, we see the object network name of the object. Net line shows the NAT statement, but it does not show the host defined under that object. Is it possible to see the host associated with the object and the NAT?
A: You can enter the show nat detail command to view the object names and contents in a single output.
Related Information
Pre 8.3 NAT order of operation
All you need to know about 8.3 upgrade
Before and after NAT config samples
ASA 8.3 Asymmetric NAT rules matched for forward and reverse flows
Global Correlation white paper
Failover pair Zero downtime code upgrade
FWSM release note link for 4.1
Scan Safe Web Security Configuartion
Cisco ASA CX Context-Aware Security