topic Cisco IOS Router VS Cisco ASA Firewall in Network Security

Cisco IOS Router VS Cisco ASA Firewall

Ramraj Sivagnanam Sivajanam — Mon, 11 Mar 2019 19:17:49 GMT

Hi There

Lately, I was asked to troubleshoot an issue. The network setup is I have Linux workstation that's connected to the INSIDE interface of the Firewall and a Windows workstation that's connected to the OUTSIDE interface of the Firewall. For some reason, the Linux workstation cannot ping the Windows XP workstation but if I were to replace the Firewall with a Cisco Router, everything works fine.

Linux CentOS workstation

10.10.10.10 /24 (No Default Gateway is defined or static routing defined)

Cisco ASA Firewall

INSIDE : 10.10.10.1/24

OUTSIDE : 20.20.20.1/24

Note : The Firewall is doing Dynamic NAT from source network address 10.10.10.0/24 --> 20.20.20.1, as shown below;

access-list inside and outside is permit ip any any

global (outside) 1 interface

nat (inside) 0.0.0.0 0.0.0.0

Windows XP workstation

20.20.20.20/24

My question here is what is so special about a Router that the Firewall is lacking? Is there any command I need to enable on the Firewall? I tried enabling and disabling sysopt noproxyarp inside and sysopt noproxyarp outside, no difference.

Please kindly assist.

Regards,

Ram

+6-012-2918870

Re: Cisco IOS Router VS Cisco ASA Firewall

Jennifer Halim — Fri, 03 Dec 2010 05:35:27 GMT

I am assuming that your NAT statement should read:

nat (inside) 1 0.0.0.0 0.0.0.0

(Just double checking to see if you have configured "nat (inside) 0 0.0.0.0 0.0.0.0" or "nat (inside) 1 0.0.0.0 0.0.0.0"

Also, please enable ICMP inspection on the FW.

Re: Cisco IOS Router VS Cisco ASA Firewall

Jennifer Halim — Fri, 03 Dec 2010 05:36:03 GMT

Also what is the security level assigned to your inside and outside interface of the ASA?

Re: Cisco IOS Router VS Cisco ASA Firewall

Ramraj Sivagnanam Sivajanam — Fri, 03 Dec 2010 05:40:22 GMT

Hi Jennifer Halim

Yes, I do have the command nat (inside) 1 0.0.0.0 0.0.0.0, sorry for the typo error. The INSIDE and OUTSIDE security level are the default values i.e. 100 and 0 respectively.

For the Firewall console, I can ping the Linux workstation and Windows XP workstation. This is working fine but from the Linux workstation, I cannot PING the Windows XP workstation. Of course, from the Windows XP workstation, I cannot PING the Linux workstation due to the dynamic NAT.

That means, as far as the Windows XP is concern, the the Linux workstation and the Firewall OUTSIDE interface is the same IP Address i.e. 20.20.20.1. With Router, this is working fine, I'm suprised why with a Firewall, it doesn't.

Note: No personal Firewall is installed on any of those workstations.

Re: Cisco IOS Router VS Cisco ASA Firewall

Jennifer Halim — Fri, 03 Dec 2010 05:44:34 GMT

Did you perform "clear xlate" after configuring the NAT statement?

Also please configure the ICMP inspection (assuming that you already have global_policy policy-map applied globally with the service-policy command):

policy-map global_policy

 class inspection_default
     inspect icmp

Re: Cisco IOS Router VS Cisco ASA Firewall

Ramraj Sivagnanam Sivajanam — Fri, 03 Dec 2010 05:49:31 GMT

Hi Jennifer Halim

Yes, I did perform "clear xlate" after configuring the NAT statement. However, I'll try out the suggestion as shown below

 class inspection_default
     inspect icmp

Just to update, this problem was solved after I added a static route in the Linux workstation to point to 10.10.10.1 for destionation network address 20.20.20.X/24. My question here is when the Linux workstation wants to go to 20.20.20.X/24, without having a static route point to 10.10.10.1, this works fine in a Router but not in a Firewall whereby you need to a static route in the Linux workstation to point to 10.10.10.1 for destionation network address 20.20.20.X/24.

The netstat -rn table in the Linux workstations is

20.20.20.0/24 next hop IP is it self IP Address i.e. 10.10.10.10

Re: Cisco IOS Router VS Cisco ASA Firewall

Jennifer Halim — Fri, 03 Dec 2010 05:52:51 GMT

Well, you definitely need a route on your Linux host to reach the Windows host as they are not in the same subnet.

You either have default gateway configured, or specific route configured if you don't have default gateway to be able to reach a host who is not in the same subnet.

Router or firewall, both of them are L3 device, and you definitely need correct routing on each hop.

Re: Cisco IOS Router VS Cisco ASA Firewall

Ramraj Sivagnanam Sivajanam — Fri, 03 Dec 2010 06:00:47 GMT

Hi Jennifer Halim

I agree with your explanation, in fact that's the same thing I told my customer, but he proved me wrong by showing it to me practically. He replaced with a Cisco Router, and all is good. Only with the Firewall this doesn't work.

My customer explained to me that when 10.10.10.10 (linux) wants to go to 20.20.20.20, it will send out an ARP broadcast asking who knows how to go to 20.20.20.20. The Router will reply and say that it knows how to go to 20.20.20.20. hence, 10.10.10.10 goes to the Router i.e. 10.10.10.1, gets nat-ted to 20.20.20.1 and talks to 20.20.20.20.

For some reason, the Firewall doesn't accept this behaviour.

That means just because the Linux doesn have a gateway, it uses its' interface to route out all traffic. This is the same concept as in some routers, we can configure ip route 0.0.0.0 0.0.0.0 Serial0.

What do you think of the situation I have so far? Does it make sense or doesn't?

Re: Cisco IOS Router VS Cisco ASA Firewall

Jennifer Halim — Fri, 03 Dec 2010 06:39:24 GMT

Seems like the router might have a bug. That should not be the behaviour of L3 device, and ARP request is not to be broadcast out a L3 interface. ARP broadcast should be contained within L2 broadcast domain.

The firewall definitely does not have that behaviour. You would need to have route to access any L3 subnet hops away. Being a firewall, it has correctly prevent the incorrect behaviour to work. So when the firewall is in place, it actually provides the correct behaviour, ie: it wouldn't resolve the ARP if it's not in the same subnet.