Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
I am the network administrator for a county wide public library system. Some of our branches are on a VPN (either DSL or Charter) connected via a cisco 5505 (branch side) and a cisco 5510 (main).
How do I seperate my staff (giving them priority over the bandwidth) from the public PC's?
I hope you have separate subnet/ip address for staff and the public PCs and you can identify them via an access-list. You can configure police and priority.
Follow this link:
I am not used to the command line and is there way to do this using the GUI interface?
I have already set up 2 groups 1 for staff (and added thier IP's to that list) and then added a group for the rest of the PC's (and added those IP's to that list). I then went into the the Service Policy Rules, and said
Source - Staff to any destination on any IP has QoS enabled priority for this flow
Souce - Public to any destination on any IP has Policy Direct input Commited rate 8000
I am really new to this and I will look at the link you sent me but in the mean time can you see if there is something I am doing wrong?
*All of the PC's (Staff and Public) are on the same subnet.
Follow this link to configure this using ASDM: http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/qos.html#wp1053674
You are on the right track.
Once done pls. post the output of
sh run class-map
sh run policy-map
along with the access-list that you match in the class-map.
For the sh run class-map:
class-map access-list outside_mpc
For sh run policy-map
policy-map type inspect dns present_dns_map
message-length maximum 512
inspect dns present_dns_map
inspect h323 h226
inspect h323 ras
What do you mean by the access-list that I matchin the class-map?
Sorry about the delay. Pls. replace the public pc ip and staff pc ip with proper translated IP address. I hope you are translating staff PC to a certain IP address when it goes out to the internet and the public PCs to another IP address when they go out to the internet. Pls. send me "sh run" from the firewall so, I can take a look at it.
You should configure something like this. You can copy and paste these lines onto the ASA once you verify the interface names and replace the IP addresses.
access-list public-pc permit ip host x.x.x.x any eq 80 ----------> where x.x.x.x is the IP address of the public PCs when they go out to the internet
access-list staff-pc permit ip host y.y.y.y any eq 80 ---------------> where y.y.y.y is the IP address of the staff PCs when they go out to the internet.
match access-list public-pc
match access-list staff-pc
police output 500000 ---------------> You are providing 500Kbps for the public PCs out of the available BW to you. You may choose another value.
service-policy police-priority-policy interface outside
Nevermind I got it to copy and paste
Here is the sh run:
Result of the command: "sh run"
ASA Version 7.2(4)
enable password ER.y749.lMleEpRJ encrypted
passwd ER.y749.lMleEpRJ encrypted
name 192.168.11.23 SVBack
name 192.168.11.20 SVLeft
name 192.168.11.22 SVMid
name 192.168.11.21 SVRight
name 192.168.11.24 SVoffice
name 192.168.11.202 SVOpac01
name 192.168.11.204 SVOpac02
name 192.168.11.201 SVOpac03
name 192.168.11.200 SVOpac04
name 192.168.11.210 SVPublic01
name 192.168.11.203 SVPublic02
name 192.168.11.209 SVPublic03
name 192.168.11.212 SVPublic04
name 192.168.11.211 SVPublic05
name 192.168.11.205 SVPublic06
name 192.168.11.206 SVXC1
name 192.168.11.208 SVXC2
name 192.168.11.207 SVXC3
ip address 192.168.11.1 255.255.255.0
pppoe client vpdn group SU
ip address pppoe setroute
switchport access vlan 2
ftp mode passive
dns server-group DefaultDNS
object-group network SVStaff
network-object host SVLeft
network-object host SVRight
network-object host SVMid
network-object host SVBack
network-object host SVoffice
object-group network SVPublic
network-object host SVOpac04
network-object host SVOpac03
network-object host SVOpac01
network-object host SVPublic02
network-object host SVOpac02
network-object host SVPublic06
network-object host SVXC1
network-object host SVXC3
network-object host SVXC2
network-object host SVPublic03
network-object host SVPublic01
network-object host SVPublic05
network-object host SVPublic04
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 any
access-list outside_mpc extended permit ip object-group SVStaff any
pager lines 24
logging list Config-Saved level notifications class sys
logging list Config-Saved message 111008
logging history informational
logging asdm informational
logging mail Config-Saved
logging from-address Summitviewvpn@yvl.org
logging recipient-address email@example.com level notifications
logging recipient-address firstname.lastname@example.org level notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authorization command LOCAL
http server enable
http 220.127.116.11 255.255.255.255 outside
http 192.168.11.0 255.255.255.0 inside
snmp-server host outside 18.104.22.168 community ciscoyvl5505
snmp-server location Summitview
snmp-server contact email@example.com
snmp-server community ciscoyvl5505
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 22.214.171.124
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group SU request dialout pppoe
vpdn group SU localname firstname.lastname@example.org
vpdn group SU ppp authentication pap
vpdn username email@example.com password ********* store-local
dhcpd auto_config outside
username infotech password tzgCRDEHUdVE5LVu encrypted privilege 3
username config password 6j16spycqHHv8ERa encrypted privilege 15
tunnel-group 126.96.36.199 type ipsec-l2l
tunnel-group 188.8.131.52 ipsec-attributes
match access-list outside_mpc
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
service-policy outside-policy interface outside
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Apologies. I was hoping you were going to implement the config that I suggested earlier. Either use the ASDM link that I provided or use CLI and replace the IP addresses in the sample that I provided and add those config lines in place. If you are skeptical, then we would have to get on the firewall and assist you with the configuration. Feel free to open a TAC case. Let me know the case once number if you do open one.
I created a TAC case and updated to a newer version of firmware on our Cisco 5505 and with the help of the Cisco TAC guy we are getting the issue resolved thank you for your help!
i have an ASA firewall as the internet gateway for our network. if i need to add another internet line for our network, the ASA firewall can load balance the network traffic on the two internet lines or not??? and how??
Unfortunately we cannot load balance or do PBR (policy based routing) on the ASA.
Read this thread that I have answered in the past: https://supportforums.cisco.com/message/894920
We can only do SLA route tracking meaning if the primary internet cirucuit goes down, traffic will automatically use the backup internet circuit.
The ASA 8.2 documentation suggests you can load balance between 2 ISPs.
Please see the following:
Configuring a Default Static Route
A default route identifies the gateway IP address to which the adaptive security appliance sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.
Note In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces that have different metrics, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected. You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry. If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the following message: "ERROR: Cannot add route entry, possible conflict with existing routes."
Can you confirm this is correct.
That documentation is correct.
1. You CAN have upto 3 default routes pointing the SAME interface. Meaning 3 routers on the primary interface.
2. You CANNOT have two default routes pointing TWO diff. interfaces in case you have two diff. ISPs and load balance (use both at the same time).
3. The only thing you can have is two ISPs for redundancy. When one fails you can have the other link kick in by SLA route tracking as you can see here:
You cannot load balance betwee two ISPs. You can only have one as a backup to the other.
I hope it is clear. If not pls. post your question.
Hi Kureli - I am a bit confused when you say you cannot load balance.
The document says "Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways."
Surely if I am distributing the traffic among more than 1 specified gateway I am doing load balancing (or more strictly speaking Load Sharing)?
My apologies for not being clear in my response. When the document says you can load balance - you can only load balance upto 3 routers off the same interface. Like the following:
route outside 0.0.0.0 0.0.0.0 192.168.1.1
route outside 0.0.0.0 0.0.0.0 192.168.1.2
route outside 0.0.0.0 0.0.0.0 192.168.1.3
When you have two ISPs both of them would be different interfaces. It is not possible to load balance. In this case your default route will be
route Primary 0.0.0.0 0.0.0.0 192.168.1.1
route Secondary 0.0.0.0 0.0.0.0 10.10.1.1
Isn't it your intention to utilize both the ISPs at the same time (load balance)? In which case you would have to configure two default routes which is not supported. When you have two ISPs and two default routes out two different interfaces, we can only do SLA route tracking meaning when the primary route goes down, the secondary route will kick in (we would add the secondary default route with a higher metric).
possible with SLA route tracking:
route Primary 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1 ----------->metric 1
route Secondary 0.0.0.0 0.0.0.0 10.10.1.1 254 ---------> higher metric
I would like to know the major different in the Architecture between ASA and pix? I know there is bugs fixed on the new IOS released in the ASA and some fetures license has been added also. Is this Only the major difference or there is some thing else? could you please rename it?
Cisco has announced EOL and EOS for PIX. The last code that is available for the PIX platform is 8.0.4(32).
We are not doing any development work on the PIX code. No more bug fixes or anything. If the customer's encounter a new defect on the PIX code, they would have to upgrade the hardware to an ASA in order to get the fix for the defect.
Here is the PIX EOL-EOS link:
PIX and ASA are completely different hardware. The ASA's can take either a CSC or an AIP module but the PIX cannot.
For example - see the file size exactly same in 7.x code
Release Date: 07/Apr/2008
Cisco Adaptive Security Appliance Software version 7.2(4) software. Read Release Note prior to downloading this release.
Size: 8316.00 KB (8515584 bytes)
PIX OS version 7.2(4) software.
7.2.4 07-APR-2008 8515584
For example - see the file size difference in the 8.x code.
7538688 pix 8.0.4
14137344 asa 8.0.4
I am setting up a ASA 5510 that will have users connection via IPSec client to access a restricted area. I need to allow then to split tunnel to a few local resources.
I have tried to use group policy, but the ACL's for the option of exclude the following networks is a standard ACL. My challenge is I need to block access to specific ports on servers to prevent internet access while allowing the PC to communicate on other ports.
For example, client A coneects to the VPN. It needs to be able to connect to a server with ip 10.10.10.15 for printing and updates. However, that server also hosts a proxy server that uses port 8080. I need to prevent the PC from hitting 8080 on that server.
I have tried a filter on the VPN group but it does not work.
You have done the right thing. VPN filter is the way to go. That should work.
Let me know if the deny in this access-list doesn't work.
First off thank you for having this "ask the experts" discussion. I always enjoy reading through the many questions.
Regarding the ASA 5520/5510 what are some possible reasons while all of a sudden RA VPN IPSec or AnyConnect users cannot establish a VPN connection? Assuming things (memory/CPU/licensing, etc...) on the ASA seem normal.
For example, at any given time you have on average 30 combined (IPSec/AnyConnect) RA VPN clients and all of a sudden no one can connect. Users that are established seem to maintain their connection, but new sessions cannot be established. The health (memory/CPU/licensing, etc...) all seem perfectly normal on the ASA. To fix/work around the issue you typically have to clear all vpn IPSec/AnyConnect sessions.
Any suggestions on where to start the troubleshooting?
Glad to hear that you enjoyed the session. There are sooo many topics that we could cover in the future. Due to limited time, I picked a few most common ones that we see in the forum on a daily basis for my session.
What you see is very interesting. When no more users can connect, what syslogs do you see on the ASA and what does the vpn client logs say?
I think I may be hittng a bug with when somtimes vpn clients cannot connect. We are going to upgrade next week to see if it resolves the issues.
Heres the bug:
ASA unable to assign IP address for VPN client from DHCP intermittently
The bug is fixed in 8.3.1, we are on a 8.0(4)k8.
Nice bug CSCtb01577. Glad you found it.
Good luck with the upgrade. Bug is resolved in 008.002(002.001) 008.001(002.039) 008.000(005.006) .
You can upgrade to 8.2.2.x --> latest to get the fix.
8.3 has nat completely re-designed (simplified!). You would be up for a surprise and it is a slight learning curve to get used to the new syntax. Unless you are looking for new features, I'd just stick to 184.108.40.206 (I believe) if you are just looking for the fix for the above bug.
Thanks for the info about the nat changes in 8.3. It's just the bug I would like to fix for now. Do you know where documentation about the nat changes/differences in 8.3 can be located?