Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

XE (ASR & 4K) - FAQ (NAT/FW/HA)

 

 

ASR-NAT

 

Is it possible to configure custom timeout values per IP/port for NAT in ASR1000?

This is possible on our ASA/FWSM platform to configure timeout for certain host or subnet for specific traffic but not on the ASR. What can be done on the ASR is shown below:

kusankar-ASR1002(config)#ip nat translation ?
   dns-timeout Specify timeout for NAT DNS flows
   finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST
   icmp-timeout Specify timeout for NAT ICMP flows
   max-entries Specify maximum number of NAT entries
   port-timeout Specify timeout for NAT TCP/UDP port specific flows
   pptp-timeout Specify timeout for NAT PPTP flows
   routemap-entry-timeout Specify timeout for routemap created half entry
   syn-timeout Specify timeout for NAT TCP flows after a SYN and no
     further data
   tcp-timeout Specify timeout for NAT TCP flows
   timeout Specify timeout for dynamic NAT translations
   udp-timeout Specify timeout for NAT UDP flows

kusankar-ASR1002(config)#ip nat translation port-timeout tcp 8080 300 

 

Is HA available for NAT?

Yes, please refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-ha.html#GUID-F60EC838-394E-4D25-A4DA-F21FE3499664

 

Does XE support VRF aware NAT?

Yes, please refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-match-vrf.html

 

Does the ASR support PAP (Paired Address Pooling)

Yes.

The ability of Network Address Translation (NAT) to consistently represent a local IP address as a single global IP address is termed paired address pooling. Paired address pooling is supported only on Port Address Translation (PAT).

please check this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-addr-pool.html

    Device# configure terminal
    Device(config)# ip nat settings pap
    Device(config)# ip nat pool net-208 192.168.202.129 192.168.202.158 netmask 255.25    5.255.240
    Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255
    Device(config)# ip nat inside source list 1 pool net-208 overload
    Device(config)# interface gigabitethernet 0/0/1
    Device(config-if)# ip address 10.114.11.39 255.255.255.0
    Device(config-if)# ip nat inside
    Device(config-if)# exit
    Device(config)# interface gigabitethernet 0/1/2
    Device(config-if)# ip address 172.16.232.182 255.255.255.240
    Device(config-if)# ip nat outside
    Device(config-if)# end

 

List of NetFlow collectors supported by Cisco to work with HSL

Cisco is working with partners like Lancope and ActionPacked. You can see a list of free NetFlow collectors that are supported by Cisco here:

http://www.cisco.com/en/US/prod/iosswrel/ps6537/ps6555/ps6601/networking_solutions_products_genericcontent0900aecd805ff72b.htm

ASR HSL: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-data-fw-hsl.html

ASR HSL with VRF: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book/iadnat-hsl-vrf.html

 

 

Can XE NAT a range of ports like the ASA does? (Static NAT for a Range of Ports)

No, not at the time of this writing (Jan 2014). This is not supported in XE3.1x or earlier. Check with product marketing about roadmap status

 

Throughput of an ASR / ESP with FW / NAT services enabled

Why Cisco ASR:

ASR Security Data Sheet:

 

Is VRF aware NAT64 supported on XE?

Neither vrf aware nat64 nor vrf aware nat46 are supported at the time of this writing (Jan 2014).

 

NAT64 Is there a way to turn off NAT ALGs for specific subnet and not globally?

Currently we only provision enabling/disabling of ALGs globally.

 

Is there a MIB to get the ip nat statistics?

Not at this time. However, there is an enhancement request filed CSCdr25202. Please reach out to the account team and have them drive this.

 

NAT for overlapping addresses

Use Network Address Translation (NAT) to translate IP addresses if the IP addresses that you use are neither legal nor officially assigned. Overlapping networks result when you assign an IP address to a device on your network that is already legally owned and assigned to a different device on the Internet or outside the network.

Please refer this link: CHAPTER 1 Address Translation of Overlapping Networks Page 8

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book.pdf

 

NAT for overlapping addresses using match-in VRF

The Match-in-VRF Support for NAT feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-VPN

NAT, both the local and global address spaces for end hosts are isolated to their respective VPNs, and as a result, the translated addresses for the hosts overlap each other. The Match-in-VRF Support for NAT feature helps separate the address space for translated addresses among VPNs.

Please refer this link: CHAPTER 22 Match-in-VRF Support for NAT 311

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book.pdf

What is the order of operation for the following features ACL, NAT, ZBF?

IN to OUT order:
ACL in on the interface >> ZBF >> NAT >>ACL out on the interface

OUT to IN order:
ACL in on the interface >> NAT >> ZBF >> ACL out on the interface.

There is no reason to configure interface based ACL in addition to ZBF. Be very careful when using interface ACLs with ZBF since ZBF cannot modify the interface ACLs to add pin-holes.

 

ASR-ZBFW

 

Can multiple Firewall instances be created on the ASR1000?

There is no virtual context concept on the ASRs/ISRs like we do on the PIX/ASA/FWSM platform but what we can do is is apply separate zone-pair policy for different pairs of VRFs. Check this link: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/vrf-aware-fw.html

 

Do we support transparent mode firewall?

Starting XE 3.15 (March 2015) and above XE will support transparent firewall.

Refer this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/zbfw-l2-transp-fw.html

 

How many class-maps and policy-maps can the unit support?

Refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/asr1000/qos-apply.html

 

How many zones and zone pairs does the ASR support?

 

Will ACLs tied to ZBF and QoS show hit count? If so when?

Yes, ACLs tied to ZBF and QoS will show hit count starting XE 3.13 and above.

 

When is object-group based ACL coming out?

Support for this was added in XE 3.12 (March 2014).

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zbf-ogacl.html

 

Need information about TCP intercept feature on ASR.

This feature is called SYN cookie protection. This only helps TCP traffic. More details here: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/conf-fw-tcp-syn-cookie.html

 

Mitigation techniques against various attacks

Refer this link regarding various attacks: https://supportforums.cisco.com/docs/DOC-38900

Attack Details

ARP FloodZBF does not inspect ARP packets
Evasive UDP

ZBF has no mechanism for supporting evasive udp session establishment detection

LAND Attack

ZBF doesn’t detect it, but enabling RPF should catch it.

Ping Of Death

System should simply handle it no ZBF needed

Random Unreachable Host

We do verify that a session exists before allowing icmp error messages through.

RST Flood

First we ensure that the TCP packet is within the window. Then we mark the flow as closed, so additional RSTs don’t get through, but the firewall session may stick around (TBD) since we continue to get packets for the flow (even though we drop them.)

Smurf

Anything with a bogus source address should be caught by RPF

SYN FloodSYN Cookie Protection
TCP Port Scan

IPS/IDS

Tear Drop

VFR (which ZBF enables by default)

UDP Flood

We support QOS, but it is not flow aware, or ZBF will only allow so many packets to be processed at one time for a given flow.

UDP Port Scan

IPS/IDS

Host Unreachable

IPS/IDS All ZBF does is look up the session to see if it is valid.

Xmas Tree

No support. We just verify that options are valid. No way to strip or deny options. (although interface ACLs might be able to be used to deny)

 

What is the behavior of the router as the number of connections nears and then eventually reaches the connection table limit ?

We clear out the idle half open sessions. This is for both udp and tcp. The idea is if we have a bunch of half open sessions and we start doing aggressive aging, the oldest 1/2 open (the one idle the longest) will likely be freed up first. When we run out, we drop packets. When aggressive aging is enabled (or disabled) we spit out a syslog alert message.

FW-4-ALERT_ON

What alerting options are there as the router nears and then eventually reaches its connection limit?

Anytime we drop the packet, we report a syslog message which is rate limited to one dropped message every 30 seconds.  These messages are severely rate limited.

FW-6-DROP_PKT

FW-4-ALERT_ON

FW-4-SESSIONS_MAXIMUM

FW-4-SESSIONS_MAXIMUM

Refer HSL document here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-data-fw-hsl.html

What options are there to detect or alert on state table exhaustion?

Watch for the syslog messages.

FW-4-SESSIONS_MAXIMUM

Refer HSL document here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-data-fw-hsl.html

List of L-7 inspections supported by the ASR

FTP, H323, RTSP, SCCP, SIP, TFTP, RCMD, LDAP(NAT only), DNS (NAT, no deep packet inspection), SMTP/ESMTP, POP3, IMAP, SUNRPC, GTPv1, GTPV2, PPTP(NAT only) are supported.

Please refer this external link: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-fw-hsl.html   (search for ALG)

 

Mangement Tool to configure and maintain ASR

Prime Infrasturcture can be used to manage ASRs. You can read more about it here:

PI - Ordering Information: http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/guide_c07-729223.html

PI - Configuration: http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/2-0/configuration/guide/pi_20_cg.html

 

Ordering Router Feature Licenses

Please refer to this link regarding ordering router feature licenses: http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/product_bulletin_c07-448862.html#wp9002740

 

ASR-HA

 

Do the configs sync between the two units?

Stateful Inter-chassis redundancy does not support router config sync.

 

Do both units need to be same hardware and software?

No. They could be different hardware; one ASR1001 and one ISR 4431 running the same XE image should be good for inter-chassis failover. Please check the prerequisite here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/conf-fw-stateful-inter-chassis.html#GUID-8F98E1DB-91D5-4AC3-84A9-3451CA8631EF

Same software on both units is mandatory.

 

What does active/avtive HA mean?

The way active-active inter-box firewall redundancy works is that,

  • There are 2 RGs configured on each box,
  • Group A is standby and Group B is active on the Device 1.
  • Group A is active and Group B is standby on the Device 2.
  • Each RG should be configured for different ingress-egress interface pairs.
  • The traffic passing through the 2 boxes should belong to different flows. Packet belongs to 1 flow must go through 1 box only, more precisely one RG.
  • ZBFW sessions can only belong to 1 RG.

The active/active is, in fact, referring 2 different flows.

Please read here for additional information:http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-stateful-int-chass.html#GUID-799993C7-4264-4B31-B787-FE809DC80DAE

 

 

Asymmetry Routing

 

What happens when standby unit receives packets on the WAN int when its LAN int is shut down?

When the standby unit receives packets on its WAN interface, it does a route lookup and that fails due to the LAN interface being down. There is no reason for it to do route lookup it should send the packets over to the active unit and have it do the route look up. This is to be expected because Route lookup happens before AR. AR is a feature in FW, FW is an egress feature.

The key point here is that we need to make sure when LAN interface is down or deleted, a valid route still exists so FW can find RG from an egress interface and perform proper Asymmetric routing task. So we need to check your routing table on the standby ASR1K, make sure there is a route from WAN to LAN and the egress interface of this route has a proper RG configured.
 
The solution here is to add an additional L3 point to point link between the 2 routers and put these 2 interfaces as the same RG group and same security zone as the LAN interface that fails on the standby router (R2).

 

 

Is Asymmetry on both sides supported?

No, it is not. The only topology that is supported is B2B on the LAN side and Asymmetry on the WAN side. We do not support AR (asymmetry routing) on both WAN and LAN sides.

 

Traffic arriving on a 3rd interface besides the two that built the connection - supported?

No, If the connection was built between LAN-WAN zone-pair and if some packets belonging the same flow ends up between WAN to WAN zones it will be dropped. Traffic arriving on a different interface than the pair of interfaces that built the connection is not supported and will be considered malicious and dropped. When traffic comes into ZBFW, the packet is checked against the existing session table. If this session matches what is in the table, we will try to forward the traffic through that existing session. This session matching overwrites the PASS policy that is configured on the interface.

 

Could one configure both inter and intra chassis HA?

No, this is not supported. Coexistence of interbox high availability (HA) and intrabox HA is not supported. Please refer this link for additional information: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/conf-fw-stateful-inter-chassis.html#GUID-A82FC656-1E00-4A5B-AB41-68C64D4DC1D3

 

What are some restrictions when configuring asymmetry routing with HA?

  • Asymmetric routing over Multiprotocol Label Switching (MPLS) and VPN is not supported prior to XE 3.14.
  • LANs that use virtual IP addresses and virtual MAC (VMAC) addresses do not support asymmetric routing.
  • VPN routing and forwarding (VRF) is not supported prior to XE 3.14.

 

What are some Restrictions for Firewall Stateful Inter chassis Redundancy?

  • Multiprotocol Label Switching (MPLS) is not supported.
  • LAN and MESH scenarios are not supported.
  • Cisco ASR 1006 and Cisco ASR 1013 platforms with dual Embedded Services Processors (ESPs) or dual Route Processors (RPs) in the chassis are not supported, because coexistence of interbox high availability (HA) and intrabox HA is not supported. Cisco ASR 1006 and Cisco ASR 1013 platforms with single ESP and single RP in the chassis supports interchassis redundancy.
  • If the dual IOS daemon (IOSd) is configured, the device will not support the firewall Stateful Interchassis Redundancy configuration.

Please refer this link for additional information: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/conf-fw-stateful-inter-chassis.html#GUID-A82FC656-1E00-4A5B-AB41-68C64D4DC1D3

 

Are http sessions replicated to the standby unit?

By default, Network Address Translation (NAT) high availability (inter and intrabox) does not replicate HTTP sessions to the standby device. To replicate HTTP sessions on the standby device during a switchover, you must configure the ip nat switchover replication http command.

Please refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-stateful-int-chass.html#GUID-9724F9F2-7C28-4FBB-8916-6234063FFF04

 

Can the standby unit also process packets for the same flow as the active unit?

By default, when asymmetric routing is configured, Network Address Translation (NAT) processes non-ALG packets on the standby RG, instead of forwarding them to the active. The NAT-only configuration (that is when the firewall is not configured) can use both the active and standby RGs for processing packets.

You can configure the asymmetric-routing always-divert enable command to divert packets received on the standby RG to the active RG.

Please refer this link for more information: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/sec-data-asym-route.html#GUID-6399763F-7B18-4F8C-8C89-16CB86A3E6BB

 

What are some show commands to troubleshoot HA?

show redundancy application group 1
show redundancy rii
show redundancy application control-interface group 1
show redundancy application data-interface group 1
show policy-firewall session zone-pair <ZP> ha

 

Two RGs per interface - is this supported?

No, this is presently not supported. Only one RG per interface.

An asymmetric routing interface can receive traffic from and send traffic to multiple RGs. For non asymmetric interface (normal LAN interface) - 1:1 mapping exists between the interface and an RG.

 

Can the control and data interface be part of a zone?

No, control and data interface should not be part of any zone. This will cause COLD-BULK situation when zone-members are part of connections for which there is no rii group.

 

When the control link breaks both units go active. Is there any way out of this situation?

This is expected behavior. Even if the LAN interfaces are fine, when control interface breaks both units will go active. The workaround for this situation is to configure both control and data interfaces off of a port channel. They can use backup Ethernet connections if one of them fail. In this case both FE0/2/0 and FE0/2/3 both have to go down for the units to both go active.

redundancy
   mode none
     application redundancy
      group 1
      name chand1
      preempt
      priority 250 failover threshold 155
      control Port-channel1.4011 protocol 1
      data Port-channel1.4012
   
 interface Port-channel1
    no ip address
    interface Port-channel1.4011
    encapsulation dot1Q 4011 primary FastEthernet0/2/0 secondary FastEthernet0/2/3
    ip address 10.7.7.1 255.255.255.0

 interface Port-channel1.4012
    encapsulation dot1Q 4012 primary FastEthernet0/2/3 secondary FastEthernet0/2/0
    ip address 10.4.4.1 255.255.255.0
 
interface FastEthernet0/2/0
    no ip address
    negotiation auto
    channel-group 1   

interface FastEthernet0/2/3
    no ip address
    negotiation auto
    channel-group 1

 

Can "redundancy group" and "asymmetry routing" be configured under the same interface?

No. RG and asymmetry should not be combined under one interface. RG interfaces will be used to replicate connections but asymmetric interface will not.

 

Should the RII be unique?

Yes. The pairs of redundant interfaces are configured with the same unique ID number known as the redundant interface identifier (RII). Please refer to this link for additional information: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-stateful-int-chass.html#GUID-799993C7-4264-4B31-B787-FE809DC80DAE

ASR HA Sample Config

redundancy
 mode none
 application redundancy
  group 1
   name rg1
   preempt
   priority 130
   control GigabitEthernet0/0/2.501 protocol 1
   data GigabitEthernet0/0/2.502
  protocol 1
   name rg1
   timers hellotime msec 500 holdtime msec 1500
   authentication text cisco
!

interface GigabitEthernet0/0/2.501

 description control link
 encapsulation dot1Q 501
 ip address 192.168.1.1 255.255.255.252
!
interface GigabitEthernet0/0/2.502

 description data link
 encapsulation dot1Q 502
 ip address 192.168.1.5 255.255.255.252

!

interface Port-channel1.90
 description LAN
 encapsulation dot1Q 90
 ip address 10.3.0.6 255.255.255.0
 .

 .
 redundancy rii 2
 redundancy group 1 ip 10.3.0.5 exclusive decrement 10

!

interface GigabitEthernet0/0/3.555
 description INET
 encapsulation dot1Q 555
 ip address X.X.X.59 255.255.255.192
 .

 .
 redundancy rii 1
 redundancy group 1 ip X.X.X.61 exclusive decrement 20

 

 

redundancy
 mode none
 application redundancy
  group 1
   name rg1
   preempt
   priority 120
   control GigabitEthernet0/0/2.501 protocol 1
   data GigabitEthernet0/0/2.502

 protocol 1
   name rg1
   timers hellotime msec 500 holdtime msec 1500
   authentication text cisco

interface GigabitEthernet0/0/2.501

  description control link
 encapsulation dot1Q 501
 ip address 192.168.1.2 255.255.255.252
!
interface GigabitEthernet0/0/2.502

 description data link
 encapsulation dot1Q 502
 ip address 192.168.1.6 255.255.255.252

interface Port-channel1.90
 description LAN
 encapsulation dot1Q 90
 ip address 10.3.0.7 255.255.255.0
 .

 .
 redundancy rii 2
 redundancy group 1 ip 10.3.0.5 exclusive decrement 10

!

interface GigabitEthernet0/0/3.555
 description INET
 encapsulation dot1Q 555
 ip address X.X.X.62 255.255.255.192
 .

 .
 redundancy rii 1
 redundancy group 1 ip 72.249.13.61 exclusive decrement 20

 

 

 

 

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 12:04 AM
Updated by:
 
Labels (1)
Contributors
Comments
New Member

Hi Poonguzhali,

I have been reading that ASR Firewall Stateful Interchassis Redundancy does not support:


LAN and WAN scenarios are not supported.

LAN and MESH scenarios are not supported.

But I don't find any clarity on what exactly these scenaros are. Can you please give some details?