06-29-2012 10:22 AM - last edited on 02-13-2020 12:58 PM by Kelli Glass
With Prashanth Goutham R.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.
Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
Remember to use the rating system to let Prashanth know if you have received an adequate response.
Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
07-09-2012 06:32 AM
Prashanth Goutham R.
Thank you very much for answering my questions. Very appreciated.I hope other users did benefit from your detailed/tested replies.
John
07-09-2012 07:18 AM
Hello Prashanth,
I've setup a ASA 5505 with 3 servers behind it. Riunning Exchange 2007 and RD Gateway behind NAT.
Port 443 is opened to allow Outlook Anywhere so the Domain users can access mail from outside the office without setting up a VPN tunnel. Also I use the RD Gateway so the users can access their worksations in the LAN and also the TS server (remote desktop)
This was working with the old firewall (D-Link Netdefend) but now the users get prompted with user/password popup from Outlook. The RD Gateway has also stopped working only telling the users "Logon Attempt Failed".
That means that Outlook failed to access the server using NTLM auth. and need to use "basic auth" instead.
So my question:
Does the ASA 5505 allow NTLM Passthrough? If not, what will I need to buy ?
07-10-2012 01:15 AM
Hello Johan,
This forum is specifically for the Failover Discussion on Cisco Firewalls, however to answer your question, Yes ASA supports NTLM Passthrough:
The ASA supports the following Single Sign On (SSO) methods:
Do let me know what troubleshooting you have done so far... Hope that helps.
07-10-2012 01:38 AM
Hmm...
As I can read on the provided URL those auth methods is supported on the "Single sign-on (SSO) for clientless SSL VPN users" section...
And I am not talking about building any VPN solution.
But can that be the issue? That the ASA is picking up the NTLM for the VPN? Not possible to disable the VPN feature somehow?
Troubleshoting done:
With D-Lnk it works. With Cisco it doesn't.
(Both devices redirects the TCP 443 to the internal IP of the server. Nothing else done)
07-10-2012 02:08 AM
Hello Jonan,
you indicate "Port 443 is opened " the Cisco ASA do NOT inspect this particular SSL port.
Have you check the output of the following cli command:
packet-tracer input outside tcp "internetsourceipaddress" 44444 "exchangeserveripaddress" 443 detailed
show service-policy flow tcp host "internetsourceipaddress" host "exchangeserveripaddress" eq 443
show service-policy
Regards
07-10-2012 05:11 AM
Hello Johan,
I misunderstood what you had mentioned. yes this is just for the VPN solution, however if your requirement is not a VPN solution then this can be treated just as normal data traffic, so make sure you have your basics set right like acl's etc. Also try to get the syslog and packet captures when the test is being done :
1. Apply packet captures on the Inside and Outside Interfaces on your firewall as shown :
access-list ACL_CAP permit ip host
access-list ACL_CAP permit ip host
capture capin access-list ACL_CAP interface inside circular-buffer
capture capout access-list ACL_CAP interface outside circular-buffer
2. Execute the following command once before and after your exchange server test where your ntlm packets are logged :
show service-policy
3. Also if you have http inspection enabled try disabling the same and try to test again.
4. Mention the ASA version running as well as provide me the NTLM version configured for your authentication.
07-10-2012 04:51 AM
Hello Prashanth Goutham R.,
we've trouble with our ASA 5510. Since some days our ASA 5510 looks like a Catalyst CE500-24LC in a new installed Cisco Network Assistant. Also in the Webinterface. Here are some pics about this fact.
In the last year we had a firm which have supported our network. But now we have to do it by ourself.
Our ASA 5510 manages some VPNs to our branch offices and mobile devices.
One of these VPNs to mobile devices is closed since last Saturday.
I can't find a mistake because of this case.
What could be wrong here?
With kind regards
Ruediger
OK... I've find a second IP of the ASA 5510 (.180). The connection is possible over this IP and a ASDM-Tool.
But what please is with the "virtual switch" on IP .254? Both have the same hostname (FECSW01).
On the connected ports of the switch are MACs registered, which are real on the other switches.
We have only 4 physical cisco switches. Till now the 5th switch is a phenomen for us.
Why the Cisco Network Assistant is not able to show the ASA 5510 on IP .180?
07-10-2012 10:43 PM
Hello Ruediger,
I am not very familiar with Cisco network Assistanct and this is not a topic which is supported in this ATE series. However can you please let me know which version of the CNA you have running as i only notice the CNA 5.0 and above have support for the ASA Firewalls:
Only both these firewall models seem to be supported:
• Cisco PIX® 515E Security Appliance
• Cisco ASA 5505 and ASA 5510 Adaptive Security Appliances
I would suggest you do this :
--- Read the release notes of the CNA version you have installed and check if it lists the model and version of ASA you have as a supported model.
--- Make sure the IP address you use for the CNA is the Active Firewall's Interface and its reachable from the CNA.
--- Make sure than port 443 or whichever port you have configured for CNA to be free and available when connecting to it.
Communication Protocols
Network Assistant uses HTTPS and HTTP to communicate with community members. It first tries to use HTTPS when using CDP to discover neighboring devices and when devices are added manually. If HTTPS fails, it tries again with HTTP.
The HTTPS port is fixed at 443; the HTTP port defaults to 80. You can specify a different HTTP port when you create a community. Afterward, you use the HTTP Port window to change the HTTP port. The port settings for both HTTPS and HTTP must be the same for all the members of a community.
Discovering and Adding Devices
Follow these steps to compile a list of candidate devices and to add them to a community:
1. Start Network Assistant, and select Connect to a new community in the Connect window. Click Connect.
2. In the Create Community window, enter a name for the community.
3. Click the Advanced button if you want to set an HTTP port other than 80, the default port. Enter the HTTP port number that you want to use. Click OK.
4. Enter the IP address for the starting device, and click Discover Neighbors.
5. In the Devices Found list, select candidate devices that you want to remove.
a. To remove more than one candidate, press Ctrl and make your choices, or press Shift and choose the first and last device in a range.
b. Click Remove.
6. Click Add All To Community to add the remaining devices in the list to the community.
Hope that Helps...
07-11-2012 06:44 AM
Hello Prashanth Goutham R.,
thanks for the information. I use the actual version 5.6 of the CNA and I want to connect to a ASA 5510 Firewall.
With the Java-ASDM-Tool I get a connection to the ASA 5510 over Port 443 on IP .180.
I'm now also on the server whose IP address is registered in the ASA 5510.
But the test to connect the ASA with the CNA breaks up with "Unable to connect."
The steps about you wrote, I've done also yesterday.
I will look for more details in the settings of the ASA 5510 and cisco community.
thanks and regards
Ruediger
07-11-2012 11:58 AM
Reudinger,
Taking into consideration that you have already checked the relavent release notes and also made sure that basic connectivity as well as reachability between the firewall and the CNA is available and working, Can you please do the following to make sure that the HTTP Server functionality on the ASA is working ok ?
no http server enable 443
--- Check the connectivity from CNA
http server enable 443
--- Check the connetivity from CNA again
This should help to fix the issue, Hope that helps..
07-10-2012 05:21 AM
Hello Prashant.
We have 2 Cisco ASA-5520 configured as a FO pair.
We have the interfaces configured as Inside, Outside and QA.
Recently what happened was one of the switches in the QA environment failed which resulted in the firewall showing the interface as "Failed - Waiting", thereafter the firewalls switches from Primary - Active to Secondary Active, and Primary Failed....
How do I remove the QA interface from FO or monitoring on the ASA's?
I dont want to monitor the QA interface because we use this for testing we usually reboot devices etc and dont want this to cause any issues to production traffic.
Regards
Zubair
07-10-2012 12:32 PM
Hello Prashant,
Ihave 2 Question for you,which are a piece of cake for u i hope,
07-11-2012 06:20 AM
Hi.
Thanks for the response.
I understand that by disabling monitoring on that interface we will be at risk and no FO will take place but for this QA environment we dont require this.
We somehow did experience a brief outage when the Primary firewall failed over and Secondary firewall took over. When issuing a show failover on the firewall I saw the Primary firewall state change to Primary - Failed and Secondary was Secondary/Standby Ready.
I shut the QA interface down and the firewall states changed to Primary - Standby and Secondary - Ready. I then proceeded to issue the failover active command on the Primary firewall to normalise the firewalls.
What I would like to find out now is that I do not want to interupt services again so when I unshut the QA interfaces will this have any effect on the firewalls?
I will ensure to issue the no monitor-interface QA as you mentioned.
Regards
Zubair
07-11-2012 11:40 AM
Hello Clark,
i'll answer both your questions though its not in the failover topic we are discussing:
In FWSM traffic flowing from lower security level to higher level requires access-list and NAT and also from higher security level to lower security level then what is the use of security level in FWSM.
The Security Levels are more than anything the architecture of how the ASA/FWSM Firewalls treat the traffic flows. Each Interface is assigned a Security Value ranging from 0 - 100 which is least secure to the most secure interfaces connecting to your firewall. This is basically a level of trust that you build where in you can categorize the Firewall flows as Inbound or Outbound. Inbound flow is any flow where the traffic is flowing from a least security interface to a Higher security Interface and Outbound flow is just the vice versa. This in turn ties up with several functions and features of the ASA/FWSM which depend on how the employ this feature. I would suggest you read more about the feature in Cisco ASA/FWSM Configuration guide to get an understanding on the same.
--- You have mentioned that you have vlan 2 on your fwsm which means you have enabled the vlan 2 in your firewall vlan group on the switch configuration.
--- However the ping is not working, so make sure the switch vlan 2 ip address is in the same subnet as the firewall vlan 2 ip address which was configured.
--- show arp should give you the arp entry for the firewall interface on the switch and vice versa on the switch as well, if you dont the arp entry, try to remove the vlan 2 from firewall vlan group and reenable it.
--- In the firewall make sure that you have the permit icmp interface
--- Check the syslogs on the firewall to see what is going on.
Message was edited by: Prashanth Goutham R.
07-10-2012 11:20 PM
Hello Zubair,
Even though you had a failover, i do not think you had an outage because of this as i assume you would have had Stateful Failover enabled which is the norm today with all of Cisco Firewalls. I realize the Firewall did what it had to do and nothing abnormal. I find your question confusing though as it says:
" How do I remove the QA interface from FO or monitoring on the ASA's?
and then you also go on to ask:
"How do I remove the QA interface from FO or monitoring on the ASA's?"
I can tell you that the first option is unavailable and defeats the purpose of Failover on ASA in the first place, however if your question is just about disabling Interface Monitoring on ASA then please do this :
ASADMZ(config)# no monitor-interface QA
What you would achieve by doing this is : http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079057
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide