Showing results for 
Search instead for 
Did you mean: 

Community Manager


Welcome  to the Cisco Networking  Professionals Ask the Expert conversation.  This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen.  Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.

Remember to use the rating system to let Magnus know if you have received an adequate response.

Magnus might not be able to answer each question due to the volume expected   during this event. Our moderators will post many of the  unanswered  questions in other discussion forums shortly after the  event. This  event  lasts through October 8, 2010. Visit this forum  often to view  responses  to your questions and the questions of other  community members.



     You can export the Access-list rule configuration page of ASDM. In ASDM go to 'COnfiguration' -> 'Firewall' -> 'Access Rules' and click on the EXPORT button in the bar above the rule table. Options include HTML or CSV. I just tested this on my ASA 8.3.x/ASDM 6.3.x and ASA 8.2.x/ASDM 6.2.x setups and it seems to export a CSV file just fine.

- Magnus


We have 2 pairs of ASAs (5520), each pair is in Active/Active mode, I noticed that the failover IP gets the same Automatic MAC address (1200.0200.0400) on both pairs. Is this normal behavior? If this gives me MAC flapping when connecting the mentioned ports to same management zone, is the solution is to assign manual MAC addresses?


     It sounds like you may want to look into use the 'mac-address auto prefix' command. This commane was first put into ASA code in version 8.0.5 and the goal is make the mac-address auto generated more unique so you could have multiple ASAs without MAC conflict. More information about this command can be found here:

- Magnus


Hi Magnus,

My office have one Cisco ASA 5510. I've notice in firewall dashboard tab, there is scanning attack and syn attack. Its always have numbers of attack there.. average 4 attacks.Is there any possibility to know who doing attack and how to stop them?

And beside that, the TOP 10 Protected Server Under Syn Attack is showing as below

server:port                     Interface         | total          Source IP


Outside Server IP:23         inside          |  60            My inside server IP

Does this means My inside server attack outside Server on port 23 ? Any idea ? Please advice.

Regards, Nagis


I've configured ipsec vpn on cisco sa520  with fortigate router. Phase 1 and Phase 2 configuration all okay but ipsec tunnel isn't up. In ipsec vpn logs i got these -

2010-10-04 14:42:03: INFO:  Received Malformed packet of payload length 41726 and total length 72.
2010-10-04 14:42:07: INFO:  Received Malformed packet of payload length 41726 and total length 72.
2010-10-04 14:42:12: ERROR:  Ignore information because ISAKMP-SA has not been established yet.
2010-10-04 14:42:12: INFO:  Configuration found for[500].
2010-10-04 14:42:12: INFO:  Received request for new phase 1 negotiation:[500]<=>[500]
2010-10-04 14:42:12: INFO:  Beginning Identity Protection mode.
2010-10-04 14:42:12: INFO:  Received Vendor ID: DPD
2010-10-04 14:42:14: ERROR:  Phase 1 negotiation failed due to time up for[500]. b43474085f0471b9:03022b503977fbba
2010-10-04 14:42:14: INFO:  Received Malformed packet of payload length 55242 and total length 72.
2010-10-04 14:42:15: INFO:  Received Malformed packet of payload length 25961 and total length 72.
2010-10-04 14:42:19: INFO:  Received Malformed packet of payload length 25961 and total length 72.

What does this mean?



I have some problems with authentication into FWSM, if i try to do from CLI through of Catalyts 6509, this happens:

509_CORE_A#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying ... Open

User Access Verification

Type help or '?' for a list of available commands.
FWSM-A> ena
Command authorization failed

Any idea??

Ummm It's seem to be aaa authorization command CONSOLE that point to Radius or TACACS server. Do you have correct persmissions to be on "enable mode"?

Good luck


     Depending on the FWSM version and configuration there are different ways to control the AAA when sessioning down from the chassis...

- If you are in single mode, you can control the sessioning to the module with 'aaa authentication telnet console xxx' line

- If you are in multiple mode running code 3.2 or later, you can control the authentication used for sessions by using the 'aaa authentication telnet console xxx' in the *admin* context.

- If you are in multiple mode running code earlier than 3.2, you may be a bit out of luck.

If you are in multiple mode and running 3.2 or later, do not use the 'enable' command after logging in, instead use the 'login' command. That will allow you to keep the authenticated username as you transition between contexts.

- Magnus

Mhon Baul

Hi Magnus,

I have some few questions regarding ASA and FWSM:

- I know that multicast is not supported when running in multi-context mode, but is there a workaround or road map to support this feature?

- i want to implement fwsm in separating DC, inside users,dmz, customers, outside network from each other. what mode that you recommend to use if i use multicast for all this network?

- is it true that ASA 5580 has greater functionality than fwsm?

-can VSS w/ FWSM support multi-context mode?

thanks in advanced!




Hi Magnus,

how can I configure a pix Version 8.0(4) to NOT block the LAND ATTACK ?

pix# sh log | i

Oct 07 2010 15:47:31: %PIX-2-106017: Deny IP due to Land Attack from to

Oct 07 2010 15:47:31: %PIX-6-302014: Teardown TCP connection 1264706965 for outside: to inside: duration 0:00:00 bytes 0 looping-address

I've already disable the signature 1102

pix# sh run | i audit

ip audit signature 1102 disable


but the drop continue ....

pix# sh log | i

Oct 07 2010 15:50:22: %PIX-2-106017: Deny IP due to Land Attack from to

Oct 07 2010 15:50:22: %PIX-6-302014: Teardown TCP connection 1264706965 for outside: to inside: duration 0:00:00 bytes 0 looping-address

I think (as I have caputerd all the traffic inside and outside interfaces and I can't see any src-dst same IP) the problem is pix bug

The questions are:

- how I can DISABLE on the pix the "Deny IP due to Land Attack" ?

- is the following the correct command do disable the LAND ATTACK "ip audit signature 1102 disable" ?

- how can i capture ONLY the ASP DROP packets ?


Roberto Taccon


I have a question about NAT on ASA's.

There are three interfaces on the ASA: inside, DMZ, & outside

Two static NAT's already existed:

static (inside,outside) netmask
static (inside,DMZ) netmask

When we tried to add a new NAT statement, we got an error:

ASA(config)# static (DMZ,outside) netmask
WARNING: mapped-address conflict with existing static
  inside: to outside: netmask

Why did we get this error/warning?

Is it just cosmetic, and NAT would still work properly, or should we change our configuration?

We have a bunch of 10.x.x.x subnets on the inside network, which is why we had to "summarize" it as

We utilize in our DMZ, and want to make some of the devices accessible by devices on our external edge network, thus the DMZ to outside nat.

We want to achieve this w/o having to NAT to different external IP's, which is why we're doing the NAT this way.