Is it possible to configure custom timeout values per IP/port for NAT in ASR1000?
This is possible on our ASA/FWSM platform to configure timeout for certain host or subnet for specific traffic but not on the ASR. What can be done on the ASR is shown below:
kusankar-ASR1002(config)#ip nat translation ?
dns-timeout Specify timeout for NAT DNS flows
finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST
icmp-timeout Specify timeout for NAT ICMP flows
max-entries Specify maximum number of NAT entries
port-timeout Specify timeout for NAT TCP/UDP port specific flows
pptp-timeout Specify timeout for NAT PPTP flows
routemap-entry-timeout Specify timeout for routemap created half entry
syn-timeout Specify timeout for NAT TCP flows after a SYN and no
tcp-timeout Specify timeout for NAT TCP flows
timeout Specify timeout for dynamic NAT translations
udp-timeout Specify timeout for NAT UDP flows
kusankar-ASR1002(config)#ip nat translation port-timeout tcp 8080 300
The ability of Network Address Translation (NAT) to consistently represent a local IP address as a single global IP address is termed paired address pooling. Paired address pooling is supported only on Port Address Translation (PAT).
Neither vrf aware nat64 nor vrf aware nat46 are supported at the time of this writing (Jan 2014).
NAT64 Is there a way to turn off NAT ALGs for specific subnet and not globally?
Currently we only provision enabling/disabling of ALGs globally.
Is there a MIB to get the ip nat statistics?
Not at this time. However, there is an enhancement request filed CSCdr25202. Please reach out to the account team and have them drive this.
NAT for overlapping addresses
Use Network Address Translation (NAT) to translate IP addresses if the IP addresses that you use are neither legal nor officially assigned. Overlapping networks result when you assign an IP address to a device on your network that is already legally owned and assigned to a different device on the Internet or outside the network.
Please refer this link: CHAPTER 1 Address Translation of Overlapping Networks Page 8
The Match-in-VRF Support for NAT feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-VPN
NAT, both the local and global address spaces for end hosts are isolated to their respective VPNs, and as a result, the translated addresses for the hosts overlap each other. The Match-in-VRF Support for NAT feature helps separate the address space for translated addresses among VPNs.
Please refer this link: CHAPTER 22 Match-in-VRF Support for NAT 311
ZBF has no mechanism for supporting evasive udp session establishment detection
ZBF doesn’t detect it, but enabling RPF should catch it.
Ping Of Death
System should simply handle it no ZBF needed
Random Unreachable Host
We do verify that a session exists before allowing icmp error messages through.
First we ensure that the TCP packet is within the window. Then we mark the flow as closed, so additional RSTs don’t get through, but the firewall session may stick around (TBD) since we continue to get packets for the flow (even though we drop them.)
Anything with a bogus source address should be caught by RPF
We support QOS, but it is not flow aware, or ZBF will only allow so many packets to be processed at one time for a given flow.
UDP Port Scan
IPS/IDS All ZBF does is look up the session to see if it is valid.
No support. We just verify that options are valid. No way to strip or deny options. (although interface ACLs might be able to be used to deny)
What is the behavior of the router as the number of connections nears and then eventually reaches the connection table limit ?
We clear out the idle half open sessions. This is for both udp and tcp. The idea is if we have a bunch of half open sessions and we start doing aggressive aging, the oldest 1/2 open (the one idle the longest) will likely be freed up first. When we run out, we drop packets. When aggressive aging is enabled (or disabled) we spit out a syslog alert message.
What alerting options are there as the router nears and then eventually reaches its connection limit?
Anytime we drop the packet, we report a syslog message which is rate limited to one dropped message every 30 seconds. These messages are severely rate limited.
What happens when standby unit receives packets on the WAN int when its LAN int is shut down?
When the standby unit receives packets on its WAN interface, it does a route lookup and that fails due to the LAN interface being down. There is no reason for it to do route lookup it should send the packets over to the active unit and have it do the route look up. This is to be expected because Route lookup happens before AR. AR is a feature in FW, FW is an egress feature.
The key point here is that we need to make sure when LAN interface is down or deleted, a valid route still exists so FW can find RG from an egress interface and perform proper Asymmetric routing task. So we need to check your routing table on the standby ASR1K, make sure there is a route from WAN to LAN and the egress interface of this route has a proper RG configured.
The solution here is to add an additional L3 point to point link between the 2 routers and put these 2 interfaces as the same RG group and same security zone as the LAN interface that fails on the standby router (R2).
Is Asymmetry on both sides supported?
No, it is not. The only topology that is supported is B2B on the LAN side and Asymmetry on the WAN side. We do not support AR (asymmetry routing) on both WAN and LAN sides.
Traffic arriving on a 3rd interface besides the two that built the connection - supported?
No, If the connection was built between LAN-WAN zone-pair and if some packets belonging the same flow ends up between WAN to WAN zones it will be dropped. Traffic arriving on a different interface than the pair of interfaces that built the connection is not supported and will be considered malicious and dropped. When traffic comes into ZBFW, the packet is checked against the existing session table. If this session matches what is in the table, we will try to forward the traffic through that existing session. This session matching overwrites the PASS policy that is configured on the interface.
Could one configure both inter and intra chassis HA?
What are some restrictions when configuring asymmetry routing with HA?
Asymmetric routing over Multiprotocol Label Switching (MPLS) and VPN is not supported prior to XE 3.14.
LANs that use virtual IP addresses and virtual MAC (VMAC) addresses do not support asymmetric routing.
VPN routing and forwarding (VRF) is not supported prior to XE 3.14.
What are some Restrictions for Firewall Stateful Inter chassis Redundancy?
Multiprotocol Label Switching (MPLS) is not supported.
LAN and MESH scenarios are not supported.
Cisco ASR 1006 and Cisco ASR 1013 platforms with dual Embedded Services Processors (ESPs) or dual Route Processors (RPs) in the chassis are not supported, because coexistence of interbox high availability (HA) and intrabox HA is not supported. Cisco ASR 1006 and Cisco ASR 1013 platforms with single ESP and single RP in the chassis supports interchassis redundancy.
If the dual IOS daemon (IOSd) is configured, the device will not support the firewall Stateful Interchassis Redundancy configuration.
By default, Network Address Translation (NAT) high availability (inter and intrabox) does not replicate HTTP sessions to the standby device. To replicate HTTP sessions on the standby device during a switchover, you must configure the ip nat switchover replication http command.
Can the standby unit also process packets for the same flow as the active unit?
By default, when asymmetric routing is configured, Network Address Translation (NAT) processes non-ALG packets on the standby RG, instead of forwarding them to the active. The NAT-only configuration (that is when the firewall is not configured) can use both the active and standby RGs for processing packets.
You can configure the asymmetric-routing always-divert enable command to divert packets received on the standby RG to the active RG.
show redundancy application control-interface group 1
show redundancy application data-interface group 1 show policy-firewall session zone-pair <ZP> ha
Two RGs per interface - is this supported?
No, this is presently not supported. Only one RG per interface.
An asymmetric routing interface can receive traffic from and send traffic to multiple RGs. For non asymmetric interface (normal LAN interface) - 1:1 mapping exists between the interface and an RG.
Can the control and data interface be part of a zone?
No, control and data interface should not be part of any zone. This will cause COLD-BULK situation when zone-members are part of connections for which there is no rii group.
When the control link breaks both units go active. Is there any way out of this situation?
This is expected behavior. Even if the LAN interfaces are fine, when control interface breaks both units will go active. The workaround for this situation is to configure both control and data interfaces off of a port channel. They can use backup Ethernet connections if one of them fail. In this case both FE0/2/0 and FE0/2/3 both have to go down for the units to both go active.
priority 250 failover threshold 155
control Port-channel1.4011 protocol 1
no ip address
encapsulation dot1Q 4011 primary FastEthernet0/2/0 secondary FastEthernet0/2/3
ip address 10.7.7.1 255.255.255.0
encapsulation dot1Q 4012 primary FastEthernet0/2/3 secondary FastEthernet0/2/0
ip address 10.4.4.1 255.255.255.0
no ip address
no ip address
Can "redundancy group" and "asymmetry routing" be configured under the same interface?
No. RG and asymmetry should not be combined under one interface. RG interfaces will be used to replicate connections but asymmetric interface will not.