- ASR-NAT
- Is it possible to configure custom timeout values per IP/port for NAT in ASR1000?
- Is HA available for NAT?
- Does XE support VRF aware NAT?
- Does the ASR support PAP (Paired Address Pooling)
- List of NetFlow collectors supported by Cisco to work with HSL
- Can XE NAT a range of ports like the ASA does? (Static NAT for a Range of Ports)
- Throughput of an ASR / ESP with FW / NAT services enabled
- Is VRF aware NAT64 supported on XE?
- NAT64 Is there a way to turn off NAT ALGs for specific subnet and not globally?
- Is there a MIB to get the ip nat statistics?
- NAT for overlapping addresses
- NAT for overlapping addresses using match-in VRF
- What is the order of operation for the following features ACL, NAT, ZBF?
- IN to OUT order:
- OUT to IN order:
- ASR-ZBFW
- Can multiple Firewall instances be created on the ASR1000?
- Do we support transparent mode firewall?
- How many class-maps and policy-maps can the unit support?
- How many zones and zone pairs does the ASR support?
- Will ACLs tied to ZBF and QoS show hit count? If so when?
- When is object-group based ACL coming out?
- Need information about TCP intercept feature on ASR.
- Mitigation techniques against various attacks
- What is the behavior of the router as the number of connections nears and then eventually reaches the connection table limit ?
- What alerting options are there as the router nears and then eventually reaches its connection limit?
- What options are there to detect or alert on state table exhaustion?
- List of L-7 inspections supported by the ASR
- Mangement Tool to configure and maintain ASR
- Ordering Router Feature Licenses
- ASR-HA
- Do the configs sync between the two units?
- Do both units need to be same hardware and software?
- What does active/avtive HA mean?
- Asymmetry Routing
- What happens when standby unit receives packets on the WAN int when its LAN int is shut down?
- Is Asymmetry on both sides supported?
- Traffic arriving on a 3rd interface besides the two that built the connection - supported?
- Could one configure both inter and intra chassis HA?
- What are some restrictions when configuring asymmetry routing with HA?
- What are some Restrictions for Firewall Stateful Inter chassis Redundancy?
- Are http sessions replicated to the standby unit?
- Can the standby unit also process packets for the same flow as the active unit?
- What are some show commands to troubleshoot HA?
- Two RGs per interface - is this supported?
- Can the control and data interface be part of a zone?
- When the control link breaks both units go active. Is there any way out of this situation?
- Can "redundancy group" and "asymmetry routing" be configured under the same interface?
- Should the RII be unique?
- ASR HA Sample Config
ASR-NAT
Is it possible to configure custom timeout values per IP/port for NAT in ASR1000?
This is possible on our ASA/FWSM platform to configure timeout for certain host or subnet for specific traffic but not on the ASR. What can be done on the ASR is shown below:
kusankar-ASR1002(config)#ip nat translation ?
dns-timeout Specify timeout for NAT DNS flows
finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST
icmp-timeout Specify timeout for NAT ICMP flows
max-entries Specify maximum number of NAT entries
port-timeout Specify timeout for NAT TCP/UDP port specific flows
pptp-timeout Specify timeout for NAT PPTP flows
routemap-entry-timeout Specify timeout for routemap created half entry
syn-timeout Specify timeout for NAT TCP flows after a SYN and no
further data
tcp-timeout Specify timeout for NAT TCP flows
timeout Specify timeout for dynamic NAT translations
udp-timeout Specify timeout for NAT UDP flows
kusankar-ASR1002(config)#ip nat translation port-timeout tcp 8080 300
Is HA available for NAT?
Yes, please refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-ha.html#GUID-F60EC838-394E-4D25-A4DA-F21FE3499664
Does XE support VRF aware NAT?
Yes, please refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-match-vrf.html
Does the ASR support PAP (Paired Address Pooling)
Yes.
The ability of Network Address Translation (NAT) to consistently represent a local IP address as a single global IP address is termed paired address pooling. Paired address pooling is supported only on Port Address Translation (PAT).
please check this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-addr-pool.html
Device# configure terminal Device(config)# ip nat settings pap Device(config)# ip nat pool net-208 192.168.202.129 192.168.202.158 netmask 255.25 5.255.240 Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255 Device(config)# ip nat inside source list 1 pool net-208 overload Device(config)# interface gigabitethernet 0/0/1 Device(config-if)# ip address 10.114.11.39 255.255.255.0 Device(config-if)# ip nat inside Device(config-if)# exit Device(config)# interface gigabitethernet 0/1/2 Device(config-if)# ip address 172.16.232.182 255.255.255.240 Device(config-if)# ip nat outside Device(config-if)# end
List of NetFlow collectors supported by Cisco to work with HSL
Cisco is working with partners like Lancope and ActionPacked. You can see a list of free NetFlow collectors that are supported by Cisco here:
ASR HSL with VRF: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book/iadnat-hsl-vrf.html
Can XE NAT a range of ports like the ASA does? (Static NAT for a Range of Ports)
No, not at the time of this writing (Jan 2014). This is not supported in XE3.1x or earlier. Check with product marketing about roadmap status
Throughput of an ASR / ESP with FW / NAT services enabled
Is VRF aware NAT64 supported on XE?
Neither vrf aware nat64 nor vrf aware nat46 are supported at the time of this writing (Jan 2014).
NAT64 Is there a way to turn off NAT ALGs for specific subnet and not globally?
Currently we only provision enabling/disabling of ALGs globally.
Is there a MIB to get the ip nat statistics?
Not at this time. However, there is an enhancement request filed CSCdr25202. Please reach out to the account team and have them drive this.
NAT for overlapping addresses
Use Network Address Translation (NAT) to translate IP addresses if the IP addresses that you use are neither legal nor officially assigned. Overlapping networks result when you assign an IP address to a device on your network that is already legally owned and assigned to a different device on the Internet or outside the network.
Please refer this link: CHAPTER 1 Address Translation of Overlapping Networks Page 8
NAT for overlapping addresses using match-in VRF
The Match-in-VRF Support for NAT feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-VPN
NAT, both the local and global address spaces for end hosts are isolated to their respective VPNs, and as a result, the translated addresses for the hosts overlap each other. The Match-in-VRF Support for NAT feature helps separate the address space for translated addresses among VPNs.
Please refer this link: CHAPTER 22 Match-in-VRF Support for NAT 311
What is the order of operation for the following features ACL, NAT, ZBF?
IN to OUT order:
ACL in on the interface >> ZBF >> NAT >>ACL out on the interface
OUT to IN order:
ACL in on the interface >> NAT >> ZBF >> ACL out on the interface.
There is no reason to configure interface based ACL in addition to ZBF. Be very careful when using interface ACLs with ZBF since ZBF cannot modify the interface ACLs to add pin-holes.
ASR-ZBFW
Can multiple Firewall instances be created on the ASR1000?
There is no virtual context concept on the ASRs/ISRs like we do on the PIX/ASA/FWSM platform but what we can do is is apply separate zone-pair policy for different pairs of VRFs. Check this link: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/vrf-aware-fw.html
Do we support transparent mode firewall?
Starting XE 3.15 (March 2015) and above XE will support transparent firewall.
Refer this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/zbfw-l2-transp-fw.html
How many class-maps and policy-maps can the unit support?
Refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/asr1000/qos-apply.html
How many zones and zone pairs does the ASR support?
Will ACLs tied to ZBF and QoS show hit count? If so when?
Yes, ACLs tied to ZBF and QoS will show hit count starting XE 3.13 and above.
When is object-group based ACL coming out?
Support for this was added in XE 3.12 (March 2014).
Need information about TCP intercept feature on ASR.
This feature is called SYN cookie protection. This only helps TCP traffic. More details here: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/conf-fw-tcp-syn-cookie.html
Mitigation techniques against various attacks
Refer this link regarding various attacks: https://supportforums.cisco.com/docs/DOC-38900
Attack Details
| ARP Flood | ZBF does not inspect ARP packets |
| Evasive UDP |
ZBF has no mechanism for supporting evasive udp session establishment detection |
| LAND Attack |
ZBF doesn’t detect it, but enabling RPF should catch it. |
| Ping Of Death |
System should simply handle it no ZBF needed |
| Random Unreachable Host |
We do verify that a session exists before allowing icmp error messages through. |
| RST Flood |
First we ensure that the TCP packet is within the window. Then we mark the flow as closed, so additional RSTs don’t get through, but the firewall session may stick around (TBD) since we continue to get packets for the flow (even though we drop them.) |
| Smurf |
Anything with a bogus source address should be caught by RPF |
| SYN Flood | SYN Cookie Protection |
| TCP Port Scan |
IPS/IDS |
| Tear Drop |
VFR (which ZBF enables by default) |
| UDP Flood |
We support QOS, but it is not flow aware, or ZBF will only allow so many packets to be processed at one time for a given flow. |
| UDP Port Scan |
IPS/IDS |
| Host Unreachable |
IPS/IDS All ZBF does is look up the session to see if it is valid. |
| Xmas Tree |
No support. We just verify that options are valid. No way to strip or deny options. (although interface ACLs might be able to be used to deny) |
What is the behavior of the router as the number of connections nears and then eventually reaches the connection table limit ?
We clear out the idle half open sessions. This is for both udp and tcp. The idea is if we have a bunch of half open sessions and we start doing aggressive aging, the oldest 1/2 open (the one idle the longest) will likely be freed up first. When we run out, we drop packets. When aggressive aging is enabled (or disabled) we spit out a syslog alert message.
FW-4-ALERT_ON
What alerting options are there as the router nears and then eventually reaches its connection limit?
Anytime we drop the packet, we report a syslog message which is rate limited to one dropped message every 30 seconds. These messages are severely rate limited.
FW-6-DROP_PKT
FW-4-ALERT_ON
FW-4-SESSIONS_MAXIMUM
Refer HSL document here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-data-fw-hsl.html
What options are there to detect or alert on state table exhaustion?
Watch for the syslog messages.
FW-4-SESSIONS_MAXIMUM
Refer HSL document here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-data-fw-hsl.html
List of L-7 inspections supported by the ASR
FTP, H323, RTSP, SCCP, SIP, TFTP, RCMD, LDAP(NAT only), DNS (NAT, no deep packet inspection), SMTP/ESMTP, POP3, IMAP, SUNRPC, GTPv1, GTPV2, PPTP(NAT only) are supported.
Please refer this external link: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-fw-hsl.html (search for ALG)
Mangement Tool to configure and maintain ASR
Prime Infrasturcture can be used to manage ASRs. You can read more about it here:
PI - Ordering Information: http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/guide_c07-729223.html
PI - Configuration: http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/2-0/configuration/guide/pi_20_cg.html
Ordering Router Feature Licenses
Please refer to this link regarding ordering router feature licenses: http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/product_bulletin_c07-448862.html#wp9002740
ASR-HA
Do the configs sync between the two units?
Stateful Inter-chassis redundancy does not support router config sync.
Do both units need to be same hardware and software?
No. They could be different hardware; one ASR1001 and one ISR 4431 running the same XE image should be good for inter-chassis failover. Please check the prerequisite here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/conf-fw-stateful-inter-chassis.html#GUID-8F98E1DB-91D5-4AC3-84A9-3451CA8631EF
Same software on both units is mandatory.
What does active/avtive HA mean?
The way active-active inter-box firewall redundancy works is that,
- There are 2 RGs configured on each box,
- Group A is standby and Group B is active on the Device 1.
- Group A is active and Group B is standby on the Device 2.
- Each RG should be configured for different ingress-egress interface pairs.
- The traffic passing through the 2 boxes should belong to different flows. Packet belongs to 1 flow must go through 1 box only, more precisely one RG.
- ZBFW sessions can only belong to 1 RG.
The active/active is, in fact, referring 2 different flows.
Please read here for additional information:http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-stateful-int-chass.html#GUID-799993C7-4264-4B31-B787-FE809DC80DAE
Asymmetry Routing
What happens when standby unit receives packets on the WAN int when its LAN int is shut down?
When the standby unit receives packets on its WAN interface, it does a route lookup and that fails due to the LAN interface being down. There is no reason for it to do route lookup it should send the packets over to the active unit and have it do the route look up. This is to be expected because Route lookup happens before AR. AR is a feature in FW, FW is an egress feature.
Is Asymmetry on both sides supported?
No, it is not. The only topology that is supported is B2B on the LAN side and Asymmetry on the WAN side. We do not support AR (asymmetry routing) on both WAN and LAN sides.
Traffic arriving on a 3rd interface besides the two that built the connection - supported?
No, If the connection was built between LAN-WAN zone-pair and if some packets belonging the same flow ends up between WAN to WAN zones it will be dropped. Traffic arriving on a different interface than the pair of interfaces that built the connection is not supported and will be considered malicious and dropped. When traffic comes into ZBFW, the packet is checked against the existing session table. If this session matches what is in the table, we will try to forward the traffic through that existing session. This session matching overwrites the PASS policy that is configured on the interface.
Could one configure both inter and intra chassis HA?
No, this is not supported. Coexistence of interbox high availability (HA) and intrabox HA is not supported. Please refer this link for additional information: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/conf-fw-stateful-inter-chassis.html#GUID-A82FC656-1E00-4A5B-AB41-68C64D4DC1D3
What are some restrictions when configuring asymmetry routing with HA?
- Asymmetric routing over Multiprotocol Label Switching (MPLS) and VPN is not supported prior to XE 3.14.
- LANs that use virtual IP addresses and virtual MAC (VMAC) addresses do not support asymmetric routing.
- VPN routing and forwarding (VRF) is not supported prior to XE 3.14.
What are some Restrictions for Firewall Stateful Inter chassis Redundancy?
- Multiprotocol Label Switching (MPLS) is not supported.
- LAN and MESH scenarios are not supported.
- Cisco ASR 1006 and Cisco ASR 1013 platforms with dual Embedded Services Processors (ESPs) or dual Route Processors (RPs) in the chassis are not supported, because coexistence of interbox high availability (HA) and intrabox HA is not supported. Cisco ASR 1006 and Cisco ASR 1013 platforms with single ESP and single RP in the chassis supports interchassis redundancy.
- If the dual IOS daemon (IOSd) is configured, the device will not support the firewall Stateful Interchassis Redundancy configuration.
Please refer this link for additional information: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/conf-fw-stateful-inter-chassis.html#GUID-A82FC656-1E00-4A5B-AB41-68C64D4DC1D3
Are http sessions replicated to the standby unit?
By default, Network Address Translation (NAT) high availability (inter and intrabox) does not replicate HTTP sessions to the standby device. To replicate HTTP sessions on the standby device during a switchover, you must configure the ip nat switchover replication http command.
Please refer this link: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-stateful-int-chass.html#GUID-9724F9F2-7C28-4FBB-8916-6234063FFF04
Can the standby unit also process packets for the same flow as the active unit?
By default, when asymmetric routing is configured, Network Address Translation (NAT) processes non-ALG packets on the standby RG, instead of forwarding them to the active. The NAT-only configuration (that is when the firewall is not configured) can use both the active and standby RGs for processing packets.
You can configure the asymmetric-routing always-divert enable command to divert packets received on the standby RG to the active RG.
Please refer this link for more information: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/sec-data-asym-route.html#GUID-6399763F-7B18-4F8C-8C89-16CB86A3E6BB
What are some show commands to troubleshoot HA?
show policy-firewall session zone-pair <ZP> ha
Two RGs per interface - is this supported?
No, this is presently not supported. Only one RG per interface.
An asymmetric routing interface can receive traffic from and send traffic to multiple RGs. For non asymmetric interface (normal LAN interface) - 1:1 mapping exists between the interface and an RG.
Can the control and data interface be part of a zone?
No, control and data interface should not be part of any zone. This will cause COLD-BULK situation when zone-members are part of connections for which there is no rii group.
When the control link breaks both units go active. Is there any way out of this situation?
This is expected behavior. Even if the LAN interfaces are fine, when control interface breaks both units will go active. The workaround for this situation is to configure both control and data interfaces off of a port channel. They can use backup Ethernet connections if one of them fail. In this case both FE0/2/0 and FE0/2/3 both have to go down for the units to both go active.
redundancy mode none application redundancy group 1 name chand1 preempt priority 250 failover threshold 155 control Port-channel1.4011 protocol 1 data Port-channel1.4012 interface Port-channel1 no ip address interface Port-channel1.4011 encapsulation dot1Q 4011 primary FastEthernet0/2/0 secondary FastEthernet0/2/3 ip address 10.7.7.1 255.255.255.0 interface Port-channel1.4012 encapsulation dot1Q 4012 primary FastEthernet0/2/3 secondary FastEthernet0/2/0 ip address 10.4.4.1 255.255.255.0 interface FastEthernet0/2/0 no ip address negotiation auto channel-group 1 interface FastEthernet0/2/3 no ip address negotiation auto channel-group 1
Can "redundancy group" and "asymmetry routing" be configured under the same interface?
No. RG and asymmetry should not be combined under one interface. RG interfaces will be used to replicate connections but asymmetric interface will not.
Should the RII be unique?
Yes. The pairs of redundant interfaces are configured with the same unique ID number known as the redundant interface identifier (RII). Please refer to this link for additional information: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-stateful-int-chass.html#GUID-799993C7-4264-4B31-B787-FE809DC80DAE
ASR HA Sample Config
|
redundancy interface GigabitEthernet0/0/2.501 description control link description data link ! interface Port-channel1.90 . interface GigabitEthernet0/0/3.555 .
|
redundancy protocol 1 interface GigabitEthernet0/0/2.501 description control link description data link interface Port-channel1.90 . ! interface GigabitEthernet0/0/3.555 .
|
