topic Re: ASA5580 - inside shared interface causing syslog issues in Network Security

ASA5580 - inside shared interface causing syslog issues

boxhallbr — Mon, 11 Mar 2019 19:16:06 GMT

Hi,

We have two ASA5580s in HA mode and are having the same issue as reported in June 2009. (Heading - ASA5520 inside shared interface).

Until recently we have been receiving all syslog messages correctly. However now the syslog server is not receiving logs for traffic entering from

other contexts.

The two interfaces external and campus (internal) share the same interfaces. Unique mac-addresses have been assigned automatically as per best

practices.

The configurations are as below:

System context

mac-address auto
!
context sys
allocate-interface Management0/0 mgmtsys
allocate-interface TenGigabitEthernet7/0 external
allocate-interface TenGigabitEthernet7/1.2 campus
allocate-interface TenGigabitEthernet7/1.17 app
allocate-interface TenGigabitEthernet8/0.18 db
allocate-interface TenGigabitEthernet8/0.118 keep
config-url disk0:/sys.cfg
!
context assembly
allocate-interface Management0/0 mgmtass
allocate-interface TenGigabitEthernet7/0 external
allocate-interface TenGigabitEthernet7/1.2 campus
allocate-interface TenGigabitEthernet7/1.19 app
allocate-interface TenGigabitEthernet8/0.20 db
allocate-interface TenGigabitEthernet8/0.120 keep
config-url disk0:/assembly.cfg
join-failover-group 1
!

Syslog Configs

sys context - traffic from sys to assembly

Nov 29 17:28:42 10.91.21.7 %ASA-6-106100: access-list keepin permitted tcp keep/10.91.118.33(48923) -> campus/10.91.20.31(22) hit-cnt 1 300-second

interval [0x1985579a, 0x17098ed8]

assembly context

No syslog result is seen coming into assembly however rule works. (We tested by disabling the rule).

According to the original answer we have to add a global command to each context but I'm not sure how this is done. I have read the doco but I'm

still not completely sure.

Is the below correct?

sys context

Existing

interface external
nameif external
security-level 0
ip address x.x.x.x 255.255.255.0 standby y.y.y.y
!
interface campus
nameif campus
security-level 30
ip address x.x.x.x 255.255.255.0 standby y.y.y.y
!
interface app
nameif app
security-level 50
ip address x.x.x.x 255.255.255.0 standby y.y.y.y
!
interface db
nameif db
security-level 100
ip address x.x.x.x 255.255.255.0 standby y.y.y.y
!
interface keep
nameif keep
security-level 70
ip address x.x.x.x 255.255.255.0 standby y.y.y.y
!
interface mgmtsys
nameif mgmt
security-level 100
ip address x.x.x.x 255.255.255.0 standby y.y.y.y
management-only
!

access-list 101 extended permit ip any any (not applied anywhere)

Required

global (campus) 1 interface

Do we need to add static NATs? Will this not change how the IP addresses are seen elsewhere?

Thanks in advance and hope this all makes sense.

Bryce

Re: ASA5580 - inside shared interface causing syslog issues

praprama — Thu, 02 Dec 2010 15:02:13 GMT

Hi Bryce,

Unfortunately its not quite clear what the problem is. I understand there is an issue with syslogs? A topology will help in better understanding the problem.

Regards,

Prapanch

Re: ASA5580 - inside shared interface causing syslog issues

boxhallbr — Wed, 08 Dec 2010 03:08:04 GMT

Prapanch,

Sorry for not getting back to you earlier.

I think our issue is to do with having the same shared inside interface (in this case campus)

When I do a packet-tracer command I get the following responses (rules are in and connectivity is working).

From context sys to context assembly.

internal-asa-1/act/sys# packet-tracer input keep tcp 10.91.118.33 48552 10.91.20.31 22

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 campus

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group keepin in interface keep
access-list keepin extended permit object-group svc-ssh object-group grp-keepdb-syst object-group grp-db2-ass log
object-group service svc-ssh
service-object tcp eq ssh
object-group network grp-keepdb-syst
network-object host 10.91.118.33
object-group network grp-db2-ass
network-object host 10.91.20.31
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2887113746, packet dispatched to next module

Result:
input-interface: keep
input-status: up
input-line-status: up
output-interface: campus
output-status: up
output-line-status: up
Action: allow

Into context assembly from context sys

internal-asa-1/act/sys# chan cont ass
internal-asa-1/act/assembly# packet-tracer input campus tcp 10.91.118.33 48552 10.91.20.31 22

Result:
input-interface: campus
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed

internal-asa-1/act/assembly#
internal-asa-1/act/assembly#
internal-asa-1/act/assembly#
internal-asa-1/act/assembly# exit

According to Cisco documentation to rectify this we need to add static NATs. But will this not change how the IP addresses are seen elsewhere?

Hope this adds a bit more light into what we are trying to do.

Bryce.

Re: ASA5580 - inside shared interface causing syslog issues

praprama — Fri, 10 Dec 2010 14:26:19 GMT

Hi Bryce,

Do you have the mac-address auto command configured on your ASA? This might help us in our situation. Let me know how it goes.

Thanks and Regards,

Prapanch

Re: ASA5580 - inside shared interface causing syslog issues

boxhallbr — Sun, 12 Dec 2010 22:40:55 GMT

Prapanch,

Mac-address auto is configured on the system context.

Re: ASA5580 - inside shared interface causing syslog issues

praprama — Mon, 13 Dec 2010 15:12:47 GMT

Hi Bryce,

I would suggest opening up a TAC case to take a look into this. Unfortunately, i am still unable to get a clear picture of the topology and live access to the device will certainly help.

Do let us know how it goes for the benefit of the community!

Cheers,

Prapanch