Sourcefire management port and subinterface communication issue

Rawit2015 — Tue, 12 Mar 2019 09:27:06 GMT

Hi,

I have one problem which I cannot bypass. Usually it works on physical interface out of the box, but this simply I cannot bypass. In short don't know how. I have configured one interface Gi1/8.10 VLAN 10 with IP 192.168.0.1 and management interface for SFR as 192.168.0.254. They are in same subnet. I have connected this management port meant for SFR via switch and on this switch I also connected Interface on which sub interface is configured. So connection goes. Interface (sub interface) -> Switch port trunk port 24 -> access port 1 and 2. Port 1 is connected to my PC and port 2 is connected to Management port on ASA (SFR). Unfortunately I cannot use Sourcefire for some reason. First thought was as sub interface has additional frame for VLAN that it might be an issue, but then again, switch removes that frame as port 1 and 2 is access port so it cannot be issue. The other thing that I noticed is that I cannot ping 192.168.0.254 even though port is enabled.

What can possibly be an issue here?

Config

xxx-xxx(config)# show running-config
: Saved

:
: Serial Number: XXXXXXXXXX
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(1)
!
hostname xxx-xxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pbkdf2
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
names
ip local pool XXX_VPN 192.168.2.2-192.168.2.250 mask 255.255.255.0

!
interface GigabitEthernet1/1
description XXX public IP
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.xxx
!
interface GigabitEthernet1/2
nameif WANxxx
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.xxx
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif insideXXX
security-level 100
ip address 192.168.xx.xx 255.255.255.0
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8.10
description administration interface
vlan 10
nameif administration
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/8.50
description voice interface - telephones
vlan 50
nameif voice
security-level 80
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/8.100
vlan 100
nameif CTS
security-level 70
ip address 192.168.1.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa981-lfbff-k8.SPA
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network XXXGW
host xxx.xxx.xxx.xxx
description XXXX Gateway
object network xxx-gw
host xxx.xxx.xxx.xxx
description XXX gateway IP
object network XXX_NAT
host 192.168.1.0
object network XXX_NAT
subnet 192.168.1.0 255.255.255.0
object network XXXXNAT
subnet 192.168.1.0 255.255.255.0
description Raw Gateway
object network AdminNAT
subnet 192.168.0.0 255.255.255.0
description Administration network NAT
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network tmp
subnet 192.168.13.0 255.255.255.0
description tmp subnet
object network NAT_CTS
subnet 192.168.1.0 255.255.255.0
description CTS system
object network NAT_Voice
subnet 10.10.10.0 255.255.255.0
description Telephone system
object network XXX_admin_Sub
subnet 192.168.0.0 255.255.255.0
description test out
access-list insideXXX_access_in extended permit icmp any any
access-list insideXXX_access_in extended permit ip any any
access-list WANxxx_access_in extended permit icmp any any echo-reply
access-list XXX_VPN remark Split tunnel for admin network
access-list XXX_VPN standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu outside 1500
mtu WANxxx 1500
mtu insideXXX 1500
mtu administration 1500
mtu voice 1500
mtu CTS 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (administration,outside) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network XXXXNAT
nat (any,WANxxx) dynamic interface dns
object network AdminNAT
nat (any,outside) dynamic interface dns
object network tmp
nat (insideXXX,WANxxx) dynamic interface dns
object network NAT_CTS
nat (any,outside) dynamic interface dns
object network NAT_Voice
nat (any,outside) dynamic interface dns
object network RAW_admin_Sub
nat (any,WANxxx) dynamic interface dns
access-group outside_access_in in interface outside
access-group WANxxx_access_in in interface WANxxx
access-group insideXXX_access_in in interface insideXXX
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route WANxxx 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 WANxxx
http 192.168.13.0 255.255.255.0 insideXXX
http 192.168.0.0 255.255.255.0 administration
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=XXX.local,O=XXX,C=DK
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=XXX.local
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate 7cc32459
3082033b 30820223 a0030201 0202047c c3245930 0d06092a 864886f7 0d01010b
0500302d 31123010 06035504 03130967 70682e6c 6f63616c 31173015 06092a86
4886f70d 01090216 08636973 636f6173 61301e17 0d313730 35323430 38323330
ed3df0ba 834a6aec b6fe1da4 60740980 22cefe83 b89b0047 f2a87238 11f8003a
2189b396 adf34b71 3f1a92e8 1af372d7 eb6ac7cd b41dd779 118d70e5 66cdbf6f
4060f9cf a9fa36c6 b2a5ac82 e2a7aba8 49d71ac7 0e2de6c2 bbc2ae6b b26ef986
8b3a9ecb 2d470d7f 4ee27bd1 d3cc7103 a85bcf1c 055e3366 8ae0dcd8 b22d2efd
eeaadd58 81bdf651 33c2b735 1f34695d b161f107 7943c075 788b85ad 7bd1a9ae
a4a0b5a3 c2c0ce7b 81bd791e 8fc647dd ff2a2a47 21eab083 73652c44 c0c0c135
d55d524b 507aa9bf ea2bc3f5 6bc7ea69 66f8e42a 20ba4583 163fa878 f0c9c41b
8af01c80 405c8564 91f4a20b 79b1b976 7b6b2a0a bb0253b1 df612bc2 aa4e1a
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 30
dhcpd auto_config outside
!
dhcpd address 192.168.13.2-192.168.13.230 insideXXX
dhcpd dns 8.8.8.8 208.67.222.222 interface insideXXX
dhcpd enable insideXXX
!
dhcpd address 192.168.0.2-192.168.0.244 administration
dhcpd dns 8.8.8.8 208.67.222.222 interface administration
dhcpd enable administration
!
dhcpd address 10.10.10.2-10.10.10.250 voice
dhcpd dns 8.8.8.8 208.67.222.222 interface voice
dhcpd enable voice
!
dhcpd address 192.168.1.2-192.168.1.250 CTS
dhcpd dns 8.8.8.8 208.67.222.222 interface CTS
dhcpd enable CTS
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 WANxxx
ssl trust-point ASDM_TrustPoint1 insideXXX
ssl trust-point ASDM_TrustPoint1 administration
ssl trust-point ASDM_TrustPoint1 voice
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect profiles XXX_VPN_client_profile disk0:/XXX_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_XXX_VPN internal
group-policy GroupPolicy_XXX_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value XXX_VPN
default-domain none
webvpn
anyconnect profiles value XXX_VPN_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username xxadmin password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX pbkdf2 privilege 15
username xyadmin password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX privilege 15
tunnel-group XXX_VPN type remote-access
tunnel-group XXX_VPN general-attributes
address-pool XXX_VPN
default-group-policy GroupPolicy_XXX_VPN
tunnel-group XXX_VPN webvpn-attributes
group-alias XXX_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1xxxxxxxxxxxxxxxxxxxxxxxx
: end

Thank you in advance

Quite bizarre, it look like

Rawit2015 — Thu, 01 Jun 2017 12:49:41 GMT

Quite bizarre, it look like it start to work after couple of minutes, even though I haven't changed config. Also what I noticed for some reason each "DHCP server" on sub interface takes at least 3 minutes to start of releasing IP from the pool.

topic Sourcefire management port and subinterface communication issue in Network Security

Sourcefire management port and subinterface communication issue

Quite bizarre, it look like