Re: Ask the Expert: Firewall Security and Troubleshooting VPN fo - Page 2

ciscomoderator · ‎01-29-2013

Learn and ask questions regarding Firewall Security and Troubleshooting VPN for Adaptive Security Appliance(ASA) . This event will be a continuation of the live Facebook Forum.

Bhavik Joshi is a Network Consulting Engineer with Service Provider Delivery team in Bangalore and has more than 3 years of experience working with security solutions implementation and troubleshooting network issues.

He has been actively working on multi-vendor security device and migration of multi-vendor security devices with cisco security solution. He also holds a CCIE Security certification #26263.

Where:

Please go to Cisco Support Facebook Page on the event day: http://www.facebook.com/CiscoSupportCommunity

When:

8:00 AM PST (San Francisco; UTC -7 hrs)

This corresponds to:

5:00 PM CET(Paris; UTC +1 hr)

9:00 PM PKT (Pakistan, UTC +5 hrs)

9:30 PM IST (India; UTC +5:30 hrs)

11:00 PM (Indonesia; UTC +7 hrs)

What is Facebook Forum?

Facebook forums are online conversations, held at a pre-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.

deansakai1 · ‎02-05-2013

Hello Bhavik,

I really appreciated your support, because before you gave me the advice,

I haven't had the confidence to be able to fix this problerm.

Now, I'll try to upgrade the ios. Thanks again.

elmayir777 · ‎01-31-2013

Thx for such kind of easy support community!

We support VERY CRITICAL business process and we need to replace ASA5510 8.0 to ASA5540 9.1 version

we have very large config file need minimum downtime.

What is ur reccomendation ?

apply old config to new ASA with same IOS (8.0) , then upgade it to new one (9.1)

or backup from ASA5510 (8.0) with ASDM and restore it at 5540 (9.1) ??

thx beforehand

bhavjosh · ‎02-04-2013

Hi Elmayir,

You should go through the release nots of 9.1, it will help you to and let you know the precautions that should be taken while upgrading from 8.0 to 9.1

Please go through the below link once.

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp678072

gaboughanem · ‎01-31-2013

Hello Bhavik,

I am trying to find the answer if the ASA can perform load balancing per-packet or per-destination.

In a situation where I have an ASA ver8.4.4.1 and load balance two routers (two default routes).

Thanks

bhavjosh · ‎02-04-2013

Hi,

You can do the load balancing by configuring cluster.

Refer

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1048834

krishnanand.yadav · ‎02-04-2013

Hi Bhavik,

Could you please explain in what scenario we will use MSS (Maximum Segment Size) configuration and its importance in troubleshooting VPN related issue?

Also if you can please explain NAT traversal configuration ? Where do i need to configure NAT traversal? It should be on NAT device next to Firewall or on Firewall itself. What does this NAT configuration actually do?

Thanks,

Krishnanand Yadav

bhavjosh · ‎02-08-2013

Hi Krishna,

When you have to send/receive packets with higher payload size, you require to chage the MSS size on the device. If you need to allow payload with higher packet size you need change the MSS size on the interface.

You will be using NAT-T when there is an device in between your two VPN end point is perfroming PAT. This feature is already enable by default. If you want to disable it you can use crypto ipsec nat-transperency udp-encapsulation on the router.

The device running behind PAT enable router/firewall will perform NAT-T on by sending packet on udp port 4500

Erwin Buena · ‎02-06-2013

Hi Bhavik,

Is it possible to add multiple subnet in in a static NAT Entry under ASA 8.4.x? see example below

object network NETWORK

subnet 10.97.0.0 255.255.0.0

subnet 10.99.0.0 255.255.0.0

subnet 10.104.0.0 255.255.0.0

subnet 10.144.0.0 255.255.0.0

!

nat (inside,outside) source static NETWORK NETWORK destination static SSLVPNClients SSLVPNClients route-lookup

Jouni Forss · ‎02-06-2013

Hi Erwin,

Should be no problem using "object-group" in your NAT setup.

Its even stated in Cisco documents that both "object" and "object-group" can be used with the configurations. The "object" can only contain single host/range/subnet whereas "object-group" can contain multiple host/network.

- Jouni

bhavjosh · ‎02-08-2013

Hi Erwin,

For doing this you require to create an network-group under which you will specify network-object and bind this network-group with your nat statement

WSLH OIS NOC - OIS Infrastructure · ‎02-06-2013

I'm confused about use of management interfaces on an ASA 5525-X we're about to power up, eventually replacing an ASA 5520.

On the 5525-X, the management interface is

(1) management-only

(2) overloaded for use by the ASA and the IPS module, using a second IP address

So if I have an existing management VLAN with stuff like switch stacks and UPS gear on it, I need to use one data firewall sub interface to talk to that stuff, say gi0/3.1, with ip address 172.18.10.1 255.255.255.0. Can I configure the management interface on that same vlan with a single IP address, or do I have to give the ASA its own subnet? E.g. what I'd like to do is:

interface gi0/3.1

nameif wslh-mgmt

ip address 172.18.10.1 255.255.255.0

security-level 100

description network gear - firewalls, switches, ups

interface management 0/0

nameif firewall-only

management-only

security-level 100

ip address 172.18.10.2 255.255.255.0

description - firewall itself

management-access firewall-only

Will this work? In particular, will it work if the IPS module gets 172.18.10.3 255.255.255.0?

-- Jim Leinweber, WI state Lab of Hygiene

bhavjosh · ‎02-08-2013

Hi,

It will not work as overlapping ip's cannot be configure on ASA. You can make this work with diffrent subnet ip.

prashantrecon · ‎05-03-2013

Hi Bhavik,

I have vlan say 10.0.0.0/24 which is patted with public .

With a same vlan i have created site to site vpn with the client But I have not used nonat for the interseting traiic do it work ?

ALIAOF_ · ‎05-09-2013

You know you can go under the management interface and type "no management-only" and then use that port as any other regular data ports. Put it on 172.18.10.x network and that is it.

goran ljubic · ‎05-10-2013

hi, i have a problem with my asa's 5505 in l2l vpn.configuration of my network is

LAN(192.168.5.0)>asa192.168.5.1>asa10.15.100.15>router10.15.100.1>8 routers>router10.13.74.1>asa10.13.74.50>asa192.168.0.15>LAN192.168.0.0

configurations of asa

Result of the command: "sh ru"

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password csq7sfr0bQJqMGET encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.15.100.15 255.255.255.0

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Makenzijeva-site

subnet 192.168.0.0 255.255.255.0

object network Palata-site

subnet 192.168.5.0 255.255.255.0

object network Sharepoint

host 192.168.5.37

access-list outside_cryptomap extended permit ip object Palata-site object Makenzijeva-site

access-list inside_access_in extended permit ip object Palata-site any

access-list outside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static Palata-site Palata-site destination static Makenzijeva-site Makenzijeva-site no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network Sharepoint

nat (inside,outside) static 10.15.100.20 dns

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.15.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 inside

http 10.13.74.0 255.255.255.0 outside

http 10.15.100.0 255.255.255.0 outside

http 192.168.0.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des